- The script starts by attempting to elevate its privileges. It then proceeds to disable the Task Manager, Command Prompt, Registry Tools, and Control Panel through registry modifications. It also restricts the execution of specific programs such as `msconfig.exe`, `Autoruns.exe`, `gpedit.msc`, `SystemSettings.exe`, and `procexp.exe` by modifying registry keys. User Account Control (UAC) settings are also modified. The script then attempts to terminate several processes, including `Taskmgr.exe`, `cmd.exe`, `msconfig.exe`, and `regedit.exe`.
- Keyboard layout is changed by writing to the registry, and the mouse buttons are swapped.
- The script downloads a file named `Background.jpg` from `https://www.mediafire.com/view/6rgzengdbh7mga3/Background.jpg/file` and sets it as the desktop wallpaper.
- The script then copies itself to the registry "Run" keys to ensure persistence.
- It creates several files in the `C:\Windows\System32\` and `C:\Windows\SysWOW64\` directories:
- - `C:\Windows\SysWOW64\msvcr80.dll.bat`: A batch file that continuously pings fanfiction.net.
- - `C:\Windows\System32\systemconfig.exe.vbs`: A VBScript that attempts to perform network scanning and send data to discovered targets on a local network.
- - `C:\Windows\advapi32_ext.vbs`: A VBScript that continuously terminates various processes including `powershell.exe`, `taskmgr.exe`, `cmd.exe`, `regedit.exe`, `control.exe` and several antivirus-related processes.
- - `C:\Windows\System32\USB_bridge.vbs`: A VBScript that monitors for USB drive insertion and copies itself to the root of the inserted drive.
- - `C:\Windows\CDConnector.vbs`: A VBScript that continuously ejects the CD-ROM drive.
- The created files are then made hidden and system files. The script also creates registry entries to run these scripts on startup.
- The script attempts to modify the hosts file to block access to several websites related to antivirus software and malware removal.
- The script also contains ransomware functionality, which involves encrypting user files. The script enumerates files in specified directories, encrypts their content using XOR encryption with a generated key, appends a `.lcryx` extension to the encrypted files, and deletes the original files. It generates a ransom note named `READMEPLEASE.txt` on the desktop, instructing the victim to visit a URL on the Tor network for decryption instructions. The script also attempts to delete shadow copies and backup catalogs.
该脚本首先尝试提升自身权限,随后通过修改注册表禁用任务管理器、命令提示符、注册表工具和控制面板。它还通过修改注册表键值限制特定程序的运行,包括`msconfig.exe`、`Autoruns.exe`、`gpedit.msc`、`SystemSettings.exe`和`procexp.exe`。用户账户控制(UAC)设置也被篡改。接着,脚本试图终止多个进程,如`Taskmgr.exe`、`cmd.exe`、`msconfig.exe`和`regedit.exe`。
键盘布局通过写入注册表被更改,鼠标左右键功能被互换。
脚本从`https://www.mediafire.com/view/6rgzengdbh7mga3/Background.jpg/file`下载名为`Background.jpg`的文件,并将其设置为桌面壁纸。
随后,脚本将自身复制到注册表的"Run"键中以实现持久化。
它在`C:\Windows\System32\`和`C:\Windows\SysWOW64\`目录下创建了多个文件:
- `C:\Windows\SysWOW64\msvcr80.dll.bat`:一个持续ping fanfiction.net的批处理文件。
- `C:\Windows\System32\systemconfig.exe.vbs`:一个尝试执行网络扫描并向本地网络中发现的目标发送数据的VBScript脚本。
- `C:\Windows\advapi32_ext.vbs`:一个持续终止包括`powershell.exe`、`taskmgr.exe`、`cmd.exe`、`regedit.exe`、`control.exe`以及多个杀毒软件相关进程的VBScript脚本。
- `C:\Windows\System32\USB_bridge.vbs`:一个监控USB设备插入并将自身复制到插入设备根目录的VBScript脚本。
- `C:\Windows\CDConnector.vbs`:一个持续弹出光驱的VBScript脚本。
这些文件随后被设置为隐藏和系统文件。脚本还创建了注册表项以确保这些脚本在系统启动时运行。
脚本试图修改hosts文件以阻止访问多个与杀毒软件和恶意软件清除相关的网站。
脚本还包含勒索软件功能,涉及加密用户文件。它会枚举指定目录中的文件,使用生成的密钥进行XOR加密,并为加密后的文件添加`.lcryx`扩展名,同时删除原始文件。脚本在桌面上生成名为`READMEPLEASE.txt`的勒索说明,指示受害者访问Tor网络上的某个网址以获取解密指令。此外,脚本还尝试删除卷影副本和备份目录。 |
[复制链接]
发表于 2025-4-26 18:49:02
