Statik Analiz — VBSDeserialization | Tehdit: YÜKSEK
Dosya Kimligi
| SHA256 | 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056 |
|---|---|
| Boyut | 237,360 byte (VBScript, ASCII text) |
| Isim | xABCDEFGHIJKLMNOPQRSTUVWX (alfabe obfuske isim) |
VBScript Base64 Parca Fonksiyonlari
YSOSERIAL GADGET: .NET BinaryFormatter TextFormattingRunProperties deserialization chain!
Public Function enddealthem()\n enddealthem="AAEAAAD/////AQAAAAAAAAACAgAAAF5NaWNyb3NvZnQu..."\nEnd Function\nPublic Function pilotshotluck()\n pilotshotluck="ZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1..."\nEnd Function\n...\n\n-- 20+ VBScript Public Function her biri bir base64 parca dondurur\n-- Isimlendirme: "enddealthem", "pilotshotluck", "tropicalnosort" (rastgele)\n-- Fonksiyon cagrilari birlestirilince tam gadget olusur\n-- Decode: Base64 -> BinaryFormatter .NET nesnesi -> RCE
TextFormattingRunProperties: .NET Deserialization RCE
Decode: "Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"\n+ "TextFormattingRunProperties" (Microsoft.VisualStudio.Text.Formatting)\n+ "ObjectDataProvider x:Key=type ObjectType={x:Type s:Type} MethodName=GetType"\n+ "System.Workflow.ComponentModel.AppSettings, System.Workflow.ComponentModel..."\n+ "disableAc..." (DisableActionLinks veya AccessibilityFeatures)\n\n-- TextFormattingRunProperties = bilinen .NET BinaryFormatter gadget chain\n-- ysoserial.net aracinin urettigi bir format\n-- ObjectDataProvider XAML injection: herhangi .NET method cagri\n-- System.Workflow.ComponentModel = yardimci gadget chain bileseni\n-- RCE: sayfada veya uygulamada .NET deserialization gerceklesiyor (MSDT/WinWord/PS)Sifir Tiklamali Yayilma Mekanizmasi
xABCDEFGHIJKLMNOPQRSTUVWX dosya ismi\n\n-- Alfabe sirasinda dosya ismi: tanimlama zorlastiriyor\n-- VBScript: .vbs uzantisi olmadan calistirilabilir (wscript.exe)\n-- Muhtemel vektör:\n 1. Outlook veya web sayfasinda XAML deserialize (clickonce veya WinWord)\n 2. PowerShell -encodedcommand ile dosya cagrilmasi\n 3. COM objesi uzerinden WScript.Shell -> wscript.exe calistirma
IOC
| SHA256 | 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056 |
|---|---|
| Teknik | .NET BinaryFormatter TextFormattingRunProperties deserialization RCE |
| Arac | ysoserial.net (ObjectDataProvider+XAML gadget chain) |
VBSDeserialization — Malware Profile
VBScript .NET BinaryFormatter deserialization exploit. TextFormattingRunProperties ysoserial.net gadget chain. ObjectDataProvider XAML injection for RCE. Base64-chunked via Public Function obfuscation. System.Workflow.ComponentModel gadget. xABCDEFG obfuscated filename.
Malware Type
Exploit
Programming Language
VBScript
C2 Protocol
Local/Network
Target Systems
Küresel
Capabilities & Behavior
Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz
IOC List (1 indicators)
IOC — VBSDeserialization
# SHA256
61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056
| Type | Value | Note |
|---|---|---|
| sha256 | 61806a90c8fb132ce0c77195974d423840f81bb3b6b42b6a5572715e99f28056 |